I have a application talking to a database using persistent sessions. From time to time new sessions are initiated and I want to capture only those ones. I could wait hours before seeing a new session, so I'm looking for a capture filter that will allow only interesting traffic to be saved on disk. Please point me to any linux command line tool and filter syntax I could use. Thanks in advance ! asked 15 Jun '12, 01:51  Gab |
One Answer:
One option would be to filter out all ports that are already in use by the established connections:
use option Regards answered 15 Jun '12, 02:08  Kurt Knochner ♦ edited 15 Jun '12, 02:15 I'm sniffing on a 3rd device connected to a network tap between client and server. This is the linux box I can run stuff onto. I don't have access to client nor server. (15 Jun '12, 03:29) Gab well, then netstat is not an option. Why do you need only new sessions? (15 Jun '12, 04:22) Kurt Knochner ♦ Kurt, anyway that is a very good idea: the linux box runs a proprietary software tracking sessions. Such software keeps a table of inspected sessions and I can do the trick from there. Let's wait for other (simpler) alternatives, but I got a good starting point :) (15 Jun '12, 04:29) Gab O.K. you can do the "trick" with wireshark as well. Run wireshark with a filter on the DB port. Wait a few seconds/minutes and extract all source ports. Use that list to filter out all those ports in another wireshark session, as shown above. BTW: What kind of proprietary session tracking software do you run on that linux box? (15 Jun '12, 04:41) Kurt Knochner ♦ |
I forgot to tell output must be in pcap format.