This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How can I capture and summarize a whole day of traffic for a host?

0

I'm trying to help our server gang check if it's safe to retire a particular server. They ask me (since I'm network support) who's talking with this host over the course of a full day?

I know I can have them run TSHARK, and use its conversation summary:

tshark -i 1 -c ####### -z conv,"ip",ip.addr==x.y.z.w -q

I don't know how many packets to expect. I suppose if some reasonable number (200,000?) gets exhausted quickly, they have some heavy flow activity they need to investigate first. Later runs of the same capture would detect infrequent and lighter flow activity over longer time.

Is there a better technique? Focus on just TCP-SYN to reduce what has to be captured? Does the conversation summarization feature work with filters such as TCP-SYN?

asked 08 Oct '12, 08:59

RichardBerke's gravatar image

RichardBerke
1222
accept rate: 0%


One Answer:

0

if it's safe to retire a particular server.

O.K. so they expect to have eliminated most (if no all) of the traffic to that host, so you should not see that much traffic right?

If so, I recommend running dumpcap with a capture filter on the ip address of the server and then, after a day (you should limit the captured data to some size), you can analyze the traffic with tshark.

dumpcap -ni 1 -s 60 -w c:\temp\all-day.cap -a filesize:300000 host x.x.x.x

Replace '1' with the interface ID you want to capture on (see dumpcap -D -M). Replace 'x.x.x.x' with the ip address of the server. This command will stop after 300 MByte (-a accepts the file size in KB). As you only capture the first few bytes of every packet, you can record quite a lot of conversations and 300 MByte should be sufficient for the whole day. If it is not, you can also use ring buffers with dumpcap (see man page).

Then you can analyze with thshark:

tshark -r c:\temp\all-day.cap -q -z conv,tcp
tshark -r c:\temp\all-day.cap -q -z conv,udp

Regards
Kurt

answered 08 Oct '12, 12:44

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%