This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I would like to get a log file that contains Denial of Service (Dos) attack events from WireShark. May i know how i do i get it using Wireshark?

asked 11 Apr '12, 01:42

misteryuku's gravatar image

misteryuku
20242630
accept rate: 0%

You need the tshark option --DOS. Unfortunately that hasn't been implemented yet.

If you explain a bit more about your requirements, e.g. what you think a DOS attack event looks like, then we can tell you how to use Wireshark to show the information.

(11 Apr '12, 02:50) grahamb ♦

I just want a sample log from wireshark that contain DoS events and use it for log analysis on "Splunk" software. and i would like to know how the DoS attack event message will look like in the log file i get from wireshark.

(11 Apr '12, 02:55) misteryuku

As Wikipedia shows HERE a DOS attack may take many forms. Wireshark has no simple button to produce a DOS list, it instead displays all captured packets, filtered and coloured as required by the user.

So, if you can explain the sort of DOS you are looking for we may be able to supply a filter and/or colouring rules to help.

(11 Apr '12, 03:41) grahamb ♦

I read that there are many forms of DoS. I am looking for those DoS listed in the Wikipedia DoS page. I would like to know a way to get every single DoS attack event in a log file that i can obtain from wireshark.

(11 Apr '12, 17:08) misteryuku

Wireshark is not the best tool for this purpose. First of all, it's memory footprint will increase over time, so for long term monitoring, you need something else. Second of all, Wireshark will fully dissect each packet, which is overkill for DoS detection. You need a fast pattern matching enginge for that.

Have a look at Snort instead...

permanent link

answered 11 Apr '12, 17:20

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

I would like to ask you, Snort requires Winpcap when installed on Windows?

(11 Apr '12, 18:57) misteryuku

Snort uses pcap for capturing traffic, which means it requires WinPcap when installed on WIndows.

(11 Apr '12, 19:13) Guy Harris ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×28
×14

question asked: 11 Apr '12, 01:42

question was seen: 7,934 times

last updated: 11 Apr '12, 19:13

p​o​w​e​r​e​d by O​S​Q​A