$ dumpcap -b filesize:10000 -w packets.cap
The filename given will be appended with a serial number and timestamp to ensure uniqueness. We can tell dumpcap to begin writing a new file every time the current file reaches a given size (in kilobytes). Of course, if we intend to capture gigabytes of data, a single file becomes too unwieldy to manage. Now we have a 942 KB capture file that we can open in Wireshark for analysis at our leisure. rw- 1 stretch stretch 942K 15:48 packets.cap i eth0 specifies the capture interface and -w packets.cap specifies the name of the capture file to be written. We can start a very basic packet capture by invoking dumpcap with the command below. Further, like tcpdump, it is built on the libpcap library and uses the same capture filter syntax. In fact, the Wireshark capture options dialog pictured below is primarily a wrapper for arguments passed to dumpcap.ĭumpcap can be run independently from Wireshark to capture packets to a file or series of files on disk, and makes for an efficient long-term capture solution. I explained in the article Sniffing with Wireshark as a Non-Root User that Wireshark relies on the dumpcap executable for its core packet capturing functionality, with more complex features offloaded to the Wireshark GUI and tshark. Alternatively, the Wireshark package includes a very small command line utility (less than one tenth the size of tcpdump) called dumpcap. While Wireshark is an excellent packet analysis application, its graphical interface is quite demanding on system resources (memory in particular) and is intended for use only in low-throughput environments or offline packet analysis (where packets are read from a file on disk).įor persistent traffic collection, such as that performed by an IDS/IPS, many people opt to use the popular packet capture utility tcpdump. A reader recently asked for my opinion on building a server to be dedicated to network traffic capturing with Wireshark.
0 kommentar(er)
