This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi there.

I'd like to leave WireShark running on all my machines, and have it automatically capture packets when total bandwidth usage is above a user defined value.

For example, I have WireShark running on my machine 24/7, and when the connection being monitored starts to use 20Mbps or more, WireShark will begin capturing the packets and dumping them into a file (Preferably timestamped).

This would be great for me as if a machine was being attacked by a Denial of Service attack, I would be able to log onto the machine after the attack stops and have a clear log of all packets going through that interface during the attack.

Please let me know if this is currently possible, or guide me in the right direction.

Thanks

asked 11 Jan '11, 15:43

Ninjadude101's gravatar image

Ninjadude101
1111
accept rate: 0%


Why not just use a rotating ring buffer? What you are asking is to capture traffic when it is high and would actually have the most impact on the machine and its storage. I assume the reason for this question is that you are wanting to lessen the impact on the machine and its storage. However, adding a service and collecting the packets will actually add to the potential of a DoS.

I do find this to be an interesting way to think outside the box. I think it could be done by writing a shell script or batch file to invoke dumpcap. Then triggering the script by querying the interface with some WMI or SNMP probe and watch for the crossing of a threshhold. I could certainly help with the dumpcap syntax, but the trigger is outside of my expertise.

permanent link

answered 11 Jan '11, 16:57

Paul%20Stewart's gravatar image

Paul Stewart
3018
accept rate: 6%

Paul, actually the reason behind my question is not to lessen the impact on the storage, but to provide an always-on solution for retrieving information behind DoS attacks.

Unfortunately, due to the nature of my business, my servers see a few (D)DoS attacks each month, and I am not always able to get onto the machine to start WireShark (Which in most cases provides information useful for finding out who is responsible). This solution will simply mean that after a (D)DoS attack, all I'd need to do is log onto the server via remote desktop and open up the latest log file to see that information.

Once I am done with the log file, it would be removed, so in fact this shouldn't have a massive impact on the storage as it will only be logging packets when the bandwidth is high.

I hope I've made myself clearer.

hansangb, Could you possibly go into more detail with the ring buffers, as I am relatively new to WireShark and lack the understanding of the terminology. I had a look at CACE Pilot, but it's quite expensive!

Thanks all.

(12 Jan '11, 05:16) Ninjadude101

Ninjadude, When you open the capture options (CTRL-K), 1) Specify the file name (under Capture Files section). 2) Check the "Use multiple files" 3) Determine if you want the rotation of files to happen based on time (next file every x min) or by capture file size (next file every x MB) 4) Check the "Ring buffer with x files" and figure out how many files you want to create before wrapping around. Make sure you have enough HD space.

That's pretty much it.

(12 Jan '11, 05:36) hansangb

I think there is some legitimacy to your reasoning. However, one concern is that you would miss the traffic prior to the trigger event. Obviously you know your business and constraints better than I do. If it were me, I'd consider capturing the traffic off box. In other words build an adequate size capture pc or server. Place it on a span or monitor port that has visibility to all of the servers. Then set up dumpcap to capture to a 'ring buffer' set of files. I'd make them a reasonable size (100MB or so). Then configure the number of files based on the maximum space you have on this dedicated machine. This approach will give you greater visibility. I'd give examples, but I'm posting from my phone.

(12 Jan '11, 05:41) Paul Stewart

Ninjadude101 Unfortunately, Wireshark lacks the trigger mechanism. So you'll have to go with ring buffers (and capture just 96 bytes if all you want is the header info) or get Cace's Pilot which has trigger mechanisms (called Watches)

permanent link

answered 11 Jan '11, 18:42

hansangb's gravatar image

hansangb
7912619
accept rate: 12%

Ninjadude, When you open the capture options (CTRL-K), 1) Specify the file name (under Capture Files section). 2) Check the "Use multiple files" 3) Determine if you want the rotation of files to happen based on time (next file every x min) or by capture file size (next file every x MB) 4) Check the "Ring buffer with x files" and figure out how many files you want to create before wrapping around. Make sure you have enough HD space.

That's pretty much it.

permanent link

answered 12 Jan '11, 05:35

hansangb's gravatar image

hansangb
7912619
accept rate: 12%

I followed your instructions above. Why are the files captured contain unreadble characters??? I was going to do the same problem for Ninjadude101, capturing the DoS attack events to a log.

(13 Apr '12, 01:18) misteryuku

how to start capture automatically when i copy any remote file and it should stop as it file transfer complete??

permanent link
This answer is marked "community wiki".

answered 11 Oct '12, 19:07

Ali's gravatar image

Ali
1
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×549
×57
×8
×2

question asked: 11 Jan '11, 15:43

question was seen: 8,112 times

last updated: 11 Oct '12, 19:07

p​o​w​e​r​e​d by O​S​Q​A