I'm trying to help our server gang check if it's safe to retire a particular server. They ask me (since I'm network support) who's talking with this host over the course of a full day? I know I can have them run TSHARK, and use its conversation summary: I don't know how many packets to expect. I suppose if some reasonable number (200,000?) gets exhausted quickly, they have some heavy flow activity they need to investigate first. Later runs of the same capture would detect infrequent and lighter flow activity over longer time. Is there a better technique? Focus on just TCP-SYN to reduce what has to be captured? Does the conversation summarization feature work with filters such as TCP-SYN? asked 08 Oct '12, 08:59  RichardBerke |
One Answer:
O.K. so they expect to have eliminated most (if no all) of the traffic to that host, so you should not see that much traffic right? If so, I recommend running dumpcap with a capture filter on the ip address of the server and then, after a day (you should limit the captured data to some size), you can analyze the traffic with tshark.
Replace '1' with the interface ID you want to capture on (see dumpcap -D -M). Replace 'x.x.x.x' with the ip address of the server. This command will stop after 300 MByte (-a accepts the file size in KB). As you only capture the first few bytes of every packet, you can record quite a lot of conversations and 300 MByte should be sufficient for the whole day. If it is not, you can also use ring buffers with dumpcap (see man page). Then you can analyze with thshark:
Regards answered 08 Oct '12, 12:44  Kurt Knochner ♦ |
