Last Updated: 2007-08-31 13:19:00 UTC
by Mike Poor (Version: 1)
Many of our readers routinely ask us what ways they can capture packets to send data to the Storm Center. A couple of different things to consider:
What do you want to capture?
Specific ports or protocols?
Snapshot of traffic?
What line speed are you capturing at?
What device are you capturing on?
Two common tools to do the packet capturing with are: tcpdump, wireshark/tshark. In this diary we will examine each of these briefly, along with their pros and cons.
The venerable tcpdump is a staple to many of us that analyze traffic for a living. It is simple, powerful, and above all ported to many platforms. Tcpdump uses the bpf (Berkeley Packet Filter) format for filtering packets out of your capture.
An example tcpdump command:
tcpdump -nn -i eth0 -s 1514 -w file.cap 'tcp and port 5050'
This command will capture full ethernet packets (1500 MTU + 14 bytes for the frame header), binding to interface eth0 (-i switch), and write to a file called "file.cap". The end of the command line is the bpf, filtering packets matching tcp port 5050 (both source and destination). The -nn disables name and port resolution.
wireshark / tshark
Wireshark and tshark are the new names for the oldschool tools, ethereal and tetheral. Wireshark is the graphic tool, and tshark is a commandline tool.
Given that most probably have experience with wireshark or ethereal, lets look more closely at tshark.
The biggest advantage for using tshark is that it includes a ring buffer for packet capturing. If you find yourself dropping packets with tcpdump, try using tshark with the ring buffer.
The following command runs tshark binding to interface en0 (-i) , disabling name resolution (-n), and using a ring buffer rotating files after every 10000K (-b filesize:10000) and writing to a basename of "foo" (-w foo).
tshark -i en0 -b filesize:10000 -w foo -n
You end up with files named as follows:
Next time we will look at Marty (of Snort fame) Roesch's new tool: Daemonlogger.