This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

filter to capture entire sessions

0

I have a application talking to a database using persistent sessions. From time to time new sessions are initiated and I want to capture only those ones. I could wait hours before seeing a new session, so I'm looking for a capture filter that will allow only interesting traffic to be saved on disk. Please point me to any linux command line tool and filter syntax I could use. Thanks in advance !

asked 15 Jun '12, 01:51

Gab's gravatar image

Gab
6113
accept rate: 0%

I forgot to tell output must be in pcap format.

(15 Jun '12, 01:55) Gab
One Answer:
active answersoldest answersnewest answerspopular answers
1

One option would be to filter out all ports that are already in use by the established connections:

  • netstat -na | grep xxxx where xxxx is your DB port
  • Look for all source ports used
  • Use this capture filter: 'port xxxx and not port 1111 and not port 2222 and not port 3333', where xxxx is the port your DB application is listening and 1111,2222,3333 are the (source) ports of the established connections. Combine the filter with IP addresses if necessary.

I forgot to tell output must be in pcap format.

use option -w to write the file in pcap format. See man page.

Regards
Kurt

permanent link

answered 15 Jun '12, 02:08

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 15 Jun '12, 02:15

I'm sniffing on a 3rd device connected to a network tap between client and server. This is the linux box I can run stuff onto. I don't have access to client nor server.

(15 Jun '12, 03:29) Gab

well, then netstat is not an option. Why do you need only new sessions?

(15 Jun '12, 04:22) Kurt Knochner ♦

Kurt, anyway that is a very good idea: the linux box runs a proprietary software tracking sessions. Such software keeps a table of inspected sessions and I can do the trick from there. Let's wait for other (simpler) alternatives, but I got a good starting point :)

(15 Jun '12, 04:29) Gab

O.K. you can do the "trick" with wireshark as well. Run wireshark with a filter on the DB port. Wait a few seconds/minutes and extract all source ports. Use that list to filter out all those ports in another wireshark session, as shown above.

BTW: What kind of proprietary session tracking software do you run on that linux box?

(15 Jun '12, 04:41) Kurt Knochner ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Question tags:

×154
×55
×21

question asked: 15 Jun '12, 01:51

question was seen: 4,357 times

last updated: 15 Jun '12, 04:42

Related questions

Wireshark only showing one way communication over VPN tunnel

Can Download Wireshark for Ubuntu Linux?

tshark running background linux

[SOLVED] How to generate Wireshark Binary package for Linux

How do I get bluetooth interface accepted

Determine Physical USB Port in Wireshark Dump

transfer from Linux to Windows

How do I make a Wireshark built from source not require root on Linux?

What exist between usbmon and the usb hardware?

How to build wireshark 2.x on Redhat/Centos

about | faq | privacy | support | contact

p​o​w​e​r​e​d by O​S​Q​A