This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Log File that detects DoS

0

I would like to get a log file that contains Denial of Service (Dos) attack events from WireShark. May i know how i do i get it using Wireshark?

asked 11 Apr '12, 01:42

misteryuku's gravatar image

misteryuku
20242630
accept rate: 0%

You need the tshark option --DOS. Unfortunately that hasn't been implemented yet.

If you explain a bit more about your requirements, e.g. what you think a DOS attack event looks like, then we can tell you how to use Wireshark to show the information.

(11 Apr '12, 02:50) grahamb ♦

I just want a sample log from wireshark that contain DoS events and use it for log analysis on "Splunk" software. and i would like to know how the DoS attack event message will look like in the log file i get from wireshark.

(11 Apr '12, 02:55) misteryuku

As Wikipedia shows HERE a DOS attack may take many forms. Wireshark has no simple button to produce a DOS list, it instead displays all captured packets, filtered and coloured as required by the user.

So, if you can explain the sort of DOS you are looking for we may be able to supply a filter and/or colouring rules to help.

(11 Apr '12, 03:41) grahamb ♦

I read that there are many forms of DoS. I am looking for those DoS listed in the Wikipedia DoS page. I would like to know a way to get every single DoS attack event in a log file that i can obtain from wireshark.

(11 Apr '12, 17:08) misteryuku

One Answer:

1

Wireshark is not the best tool for this purpose. First of all, it's memory footprint will increase over time, so for long term monitoring, you need something else. Second of all, Wireshark will fully dissect each packet, which is overkill for DoS detection. You need a fast pattern matching enginge for that.

Have a look at Snort instead...

answered 11 Apr '12, 17:20

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

I would like to ask you, Snort requires Winpcap when installed on Windows?

(11 Apr '12, 18:57) misteryuku

Snort uses pcap for capturing traffic, which means it requires WinPcap when installed on WIndows.

(11 Apr '12, 19:13) Guy Harris ♦♦