OSTU - Sake Blok on Unattended Packet Capturing with Dumpcap

3,954 views

Published on

Sake Blok, a Wireshark/Ethereal devotee since 1999, works as a Research & Development Engineer for ion-ip in the Netherlands (http://www.ionip.com) . His company provides solutions to customers who want to deliver their applications to users in a fast, secure, efficient and scalable manner. Sake\\\'s main focus is to take new products for a spin in their test environment, design custom solutions for customers and troubleshoot the problems customers might encounter while using ion-ip solutions. Two years ago (2006), Sake started to add the functionality he was missing to Wireshark. He also started to fix Wireshark-bugs that were reported on Bugzilla. This work on Wireshark resulted in an invitation from Gerald Combs to join the Wireshark Core Development Team in 2007.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
3,954
On SlideShare
0
From Embeds
0
Number of Embeds
464
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

OSTU - Sake Blok on Unattended Packet Capturing with Dumpcap

  1. 1. Unattended Packet Capturing with Dumpcap July 2008
  2. 2. Welcome Back! <ul><li>Second episode of monthly series about using the wireshark CLI tools </li></ul><ul><li>The other episodes can be found at: http://www.lovemytool.com/blog/2008/06/ostu_tshark.html </li></ul>Sake Blok on… Unattended Packet Capturing with Dumpcap Network Analysis Community Center (http://www.netcc.nl) July 2008
  3. 3. This months topic <ul><li>In this second episode, I will show you how to use dumpcap to capture packets for an extended period </li></ul><ul><li>You will learn: </li></ul><ul><ul><li>why wireshark and tshark use dumpcap </li></ul></ul><ul><ul><li>why you want to use dumpcap </li></ul></ul><ul><ul><li>how to use dumpcap </li></ul></ul><ul><ul><li>how to use a ringbuffer of files (for unattended capturing) </li></ul></ul>Sake Blok on… Unattended Packet Capturing with Dumpcap Network Analysis Community Center (http://www.netcc.nl) July 2008
  4. 4. why wireshark and tshark use dumpcap <ul><li>1.6 million lines of code </li></ul><ul><li>most code is for dissecting, only small part for capturing </li></ul><ul><li>often need to run as root ==> Security Risk! </li></ul><ul><li>privilege separation between capturing and dissecting </li></ul>Sake Blok on… Unattended Packet Capturing with Dumpcap Network Analysis Community Center (http://www.netcc.nl) July 2008
  5. 5. why you want to use dumpcap <ul><li>Just network to disk </li></ul><ul><li>low level of packet drops </li></ul><ul><li>no state information kept </li></ul><ul><li>Perfect for long term capturing </li></ul><ul><li>lean mean capture machine :-) </li></ul>Sake Blok on… Unattended Packet Capturing with Dumpcap Network Analysis Community Center (http://www.netcc.nl) July 2008
  6. 6. capturing with dumpcap Sake Blok on… Unattended Packet Capturing with Dumpcap Network Analysis Community Center (http://www.netcc.nl) July 2008 $ dumpcap -i 3 -w all.cap File: all.cap Packets: 66512 Packets dropped: 0 $ $ dumpcap -i 3 -w arp.cap -f arp File: arp.cap Packets: 4 Packets dropped: 0 $
  7. 7. automatically stopping a capture Sake Blok on… Unattended Packet Capturing with Dumpcap Network Analysis Community Center (http://www.netcc.nl) July 2008 $ dumpcap -i3 -w one_megabyte.cap -a filesize:1024 File: one_megabyte.cap Packets: 1350 Packets dropped: 0 $ $ dumpcap -i3 -w one_minute.cap -a duration:60 File: one_minute.cap Packets: 155588 Packets dropped: 0 $ $ dumpcap -i 3 -w 10000.cap -c 10000 File: 10000.cap Packets: 10000 Packets dropped: 0 $
  8. 8. capturing to multiple files Sake Blok on… Unattended Packet Capturing with Dumpcap Network Analysis Community Center (http://www.netcc.nl) July 2008 $ dumpcap -i3 -w per_10sec.cap -a files:4 -a filesize:8192 File: per_10sec_00001_20080712181944.cap Packets: 10253 File: per_10sec_00002_20080712181948.cap Packets: 20603 File: per_10sec_00003_20080712181951.cap Packets: 30814 File: per_10sec_00004_20080712181955.cap Packets: 40928 Packets dropped: 0 $ $ dumpcap -i3 -w per_10sec.cap -a files:4 -b duration:10 File: per_10sec_00001_20080712182604.cap Packets: 29009 File: per_10sec_00002_20080712182615.cap Packets: 51308 File: per_10sec_00003_20080712182626.cap Packets: 80406 File: per_10sec_00004_20080712182637.cap Packets: 110665 Packets dropped: 0 $
  9. 9. capturing to a ringbuffer of files Sake Blok on… Unattended Packet Capturing with Dumpcap Network Analysis Community Center (http://www.netcc.nl) July 2008 $ dumpcap -i3 -w keep_last_4.cap -b files:4 -b filesize:8192 File: keep_last_4_00001_20080712183216.cap Packets: 10239 File: keep_last_4_00002_20080712183220.cap Packets: 20524 File: keep_last_4_00003_20080712183223.cap Packets: 30655 File: keep_last_4_00004_20080712183227.cap Packets: 40895 File: keep_last_4_00005_20080712183230.cap Packets: 51216 File: keep_last_4_00006_20080712183233.cap Packets: 61475 File: keep_last_4_00007_20080712183238.cap Packets: 71630 File: keep_last_4_00008_20080712183241.cap Packets: 81852 File: keep_last_4_00009_20080712183245.cap Packets: 83282 Packets dropped: 0 $ $ $ ls -1 keep_last_4_0000* keep_last_4_00006_20080712183233.cap keep_last_4_00007_20080712183238.cap keep_last_4_00008_20080712183241.cap keep_last_4_00009_20080712183245.cap $
  10. 10. That's all folks! <ul><li>More info: </li></ul><ul><ul><li>dumpcap manpage ( http://www.wireshark.org/docs/man-pages/dumpcap.html ) </li></ul></ul><ul><li>Next months episode: &quot;capture file manipulation with tshark, editcap and mergecap (part I: selecting packets)&quot; </li></ul><ul><li>e-mail: [email_address] </li></ul>Sake Blok on… Unattended Packet Capturing with Dumpcap Network Analysis Community Center (http://www.netcc.nl) July 2008
  11. 11. <ul><li>LoveMyTool.com Community for Network Monitoring & Management Tools </li></ul><ul><li>For additional educational videos on Open Source Network Tools, please visit: http://www.lovemytool.com/blog/ostu.html </li></ul>Sake Blok on… Unattended Packet Capturing with Dumpcap Network Analysis Community Center (http://www.netcc.nl) July 2008

×