This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Some help for a NewB

0

I have a ESXi VM Host running a VM of CentOS and a Windows 7 VM. My question is multi tiered and I apologize in advance if these questions could be answered elsewhere, I'm kinda in a crunch. (New boss - new "Important Project" - sure u been there before)

From the CentOS VM I need to run TShark and set a script to only make 400MB files and dump them to a folder which can then be read by my Win7 VM running Netwitness. In addition, the TShark has to maintain its process, meaning that if it stops it must auto restart immediately (can probably use some type of Cron job to do this - unless better method is suggested - my thought is a script that loops checking to see if Tshark is running and if not auto-restarts it, perhaps with watchdog). Once the "dump" folder reaches 50GB, TShark would then begin overwriting the oldest file. I have managed to create a folder on my Win7 VM called "Tshark" and have even managed to mount it to my CentOS VM at "/var/log/Tshark". I want Tshark to run as a background program and "never stop", always starting with startup of the machine (should it reboot). I also need the PCAPS it creates to be as verbose as possible in their captures.

Did I mention I'm a NEWB and my boss wants this yesterday? I have very limited experience with scripting, linux, etc. I'm an analyst... it's always just been set up when I get there... now I gotta do a Neo dump and hope I can fit the peices together to build it from the ground - LOL. Thanks in advance for the kindness and responsiveness of the group. I'm sure the experience here will understand and be kind.

asked 28 Feb '13, 12:10

ERitz's gravatar image

ERitz
11113
accept rate: 0%

edited 28 Feb '13, 12:19


One Answer:

0

From the CentOS VM I need to run TShark and set a script to only make 400MB files and dump them to a folder which can then be read by my Win7 VM running Netwitness.

If you want to analyze the data with Netwitness, don't capture with tshark. Either use dumpcap or tcpdump (see below).

In addition, the TShark has to maintain its process, meaning that if it stops it must auto restart immediately (can probably use some type of Cron job to do this - unless better method is suggested

You could add the dumpcap/tcpdump command to /etc/inittab with a respawn option, if inittab is available on your system. Init will then handle the restart of the command if it dies.

Another option would be monit.

http://mmonit.com/monit/

Unfortunately you need some linux skills to make either method work :-(

Once the "dump" folder reaches 50GB, TShark would then begin overwriting the oldest file.

For this you need the ring buffer feature of dumpcap and/or tcpdump:

dumpcap -q -ni eth0 -s0 -b filesize:400000 -b files:125 -w /var/log/Tshark/evidence.cap

or

tcpdump -ni eth0 -s0 -C 400 -W 125 -w /var/log/Tshark/evidence.cap

These commands will write 400 MB files (125 files == 50 GByte). The oldest file will then be overwritten.

I also need the PCAPS it creates to be as verbose as possible in their captures.

With the command above you will capture raw data, so it will contain the whole payload of the frames. The 'verbosity' comes with the analysis in Wireshark and/or Netwitness ;-)

Regards
Kurt

answered 28 Feb '13, 12:53

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 28 Feb '13, 12:56

Thanks Kurt. Thanks for the suggestion to use dumpcap/tcpdump; though I don't understand the "why" you prefer those two vs. Tshark? Not a challenge, just desire for greater understanding :). In the interim of waiting for an answer I did figure out the following command

[[email protected] ~]# tshark -w /var/log/Tshark/evidence -t ad -b filesize:409600 -b files:125

Is this not recommended?

(01 Mar '13, 06:00) ERitz

tshark (and wireshark) build up state information about conversations over time so will run out of memory. dumpcap/tcpdump don't do that.

(01 Mar '13, 06:24) grahamb ♦