I have a site with an intermittent issue that appears to be a client (probably a laptop) using all the bandwidth. It will be a while before I can be onsite and my remote options are limited. There is a monitor port configured for the internet connection and they have offered to put a laptop on it with any tool that they can install. It would need to be a Windows tool and easy for them to configure. I was thinking about having them install Wireshark and start a multi-file capture. I'm concerned though that won't be able to stop the capture soon enough after the offending client appears. It seems like I could get more useful information if I only capture headers. The instructions at http://www.wireshark.org/docs/wsug_html_chunked/ChCapCaptureOptions.html indicate that I can set "The maximum amount of data that will be captured for each packet," but I don't see that option. Can you think of a better tool? I would love something that would trigger a new capture when bandwidth reaches a certain number. Otherwise I will just have them start a capture with ringbuffers and hope I get to it in time. TIA. asked 06 Oct '12, 14:30  ComputerX |
2 Answers:
Unfortunately Wireshark maintains state, even when used with multiple files, as it dissects the traffic so it's not the best tool for making a long term capture. TShark (which is installed along with Wireshark) is the commandline version but this still maintains state as it also dissects the data. Dumpcap (also installed with Wireshark) is a pure capture utility so is best for long-term captures. The man page gives the options; the Once you have gathered all your data you then need to analyse it. You can load each file into Wireshark and examine it, but to get a view over the whole capture period you could look at Riverbed's Cascade Pilot. answered 06 Oct '12, 15:05  grahamb ♦ |
i posted this a while back which may help you "Wireshark - tshark Ring Buffer Example" http://www.lovemytool.com/blog/2011/03/wireshark-tshark-ring-buffer-example-by-tony-fortunato.html and a bunch of others here http://thetechfirm.com/wireshark/wireshark.html answered 06 Oct '12, 15:15  thetechfirm |
Perfect, and thank you. I had been looking at TShark and WinDump. I didn't know about Dumpcap. The -s option should let me trip the packets down to get the headers and truncate the payload.
I wonder if "capture [TCP|IP|MAC|etc.} headers only" would be a useful/practical feature request. It would require a certain amount of real-time analysis. I think. You guys are the experts :-)
Thank you again.
On *BSD and OS X and possibly AIX and Solaris 11, it'd require generating BPF code that looks at the relevant packet fields and calculates the packet length appropriate for the packet to include the relevant headers. I'm not sure what other platforms use the return value of a BPF program as the snapshot length (it might, on Linux and Windows-with-WinPcap; I suspect not in the others).