User Tools

Site Tools


info:wireshark

Wireshark

Using Tcpdump

Rotation

Size can be limited with -C (megabytes); max number of files with -W. For example:

tcpdump -i eth0 -s 0 -w 172.16.34.121.pcap -C 500 -W 200 host 172.16.34.121

Makes files up to 200 files of 500 MB each. Use editcap or tshark to filter out the parts you need after the fact.

Splitting Files

editcap can be used to split captures into smaller files or to make a new file with only packets from a certain time period.

For example:

editcap -A "2009-12-14 13:04:00" -B "2009-12-14 13:06:00" 172.16.34.121.pcap000 20091214T1305-1min.pcap

Questions

  • Proxying/tunneling: I'd like to tell my program to connect to an intermediary (with Wireshark installed) so I can monitor it more easily. Maybe use a proxy server, or make the intermediate machine into a simple router.
  • Decrypting: if I have the private key for SSH or SSL/TLS, can I decrypt the traffic in Wireshark?
    • Try ssldump
info/wireshark.txt · Last modified: 2010-10-12 16:04 by sam