This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Greetings Wireshark Wizes! Tonight I downloaded the tool and read through some of the documentation. Without tunneling too much further, I wanted to see if the pros think there is gold at the end of my tunnel. What I'm looking for is this: A background TCP monitoring program that will alert me and run a script when a certain IP sends me a packet, or when a certain packet is received regardless of the source.

Based on playing around with Wireshark for 5 minutes, it should have NO problem observing and filtering traffic to find what I'm looking for. However, I'm having a hard time seeing how you would run a script when a certain packet is received. In the documentation(5.7.4) I see it is possible to export filtered data to a C array (although I don't see where it explains how to do that). Could the data be constantly streamed to some buffer location where I can sort through it using another program?

I play around with a script building program called AutoHotkey, so if I could read the packet information with AutoHotkey, my problems would be solved. What do you think? Is this the right place for me? If not, does anyone have any recommendations? Thanks! JD

asked 03 May '13, 02:44

Zoroaster's gravatar image

Zoroaster
1112
accept rate: 0%

Thanks guys for the fast response! I got swamped with other projects, so this will have to wait for a while, but thanks for saving me a bunch of time, and pointing me in some new directions. When I get a chance, I'll followup with y'alls suggestions/questions. thanks! JD

(07 May '13, 02:42) Zoroaster

Hi JD, wireshark is NOT the tool for your purpose. Wireshark is great as an analyzer, but not good as a monitoring tool, as it keeps state of session for doing further analysis. This means you will run out of memory doing long term capturing.

You can use dumpcap (included with wireshark) for long-term capturing and use a ringbuffer of X files to make your harddrive not fill up. I have used this setup for months in a row. You can then write a script that processes each completed file (with tshark for instance) to see whether there is a packet of interest and based on the result fire another script.

The big questions are: - how much traffic do you need to keep up with - how soon must you be notified after the packets of interest were seen

Answer to these questions will determine the sizing of the box needed and the parameters for dumpcap to make this happen.

In short, wireshark itself is not the tool for you, but the accompanied dumpcap and tshark and a little scripting can do the trick.

permanent link

answered 03 May '13, 02:57

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

A combination of ngrep and some scripting might be the better tool for you.

A background TCP monitoring program that will alert me and run a script when a certain IP sends me a packet, or when a certain packet is received regardless of the source.

BTW: What are your trying to do? Why do you need to capture a packet with a sniffer that is sent to your system or an application on your system? Wouldn't it be easier to handle that packet in the application?!?

Regards
Kurt

permanent link

answered 03 May '13, 03:16

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×82
×31
×7
×4
×3

question asked: 03 May '13, 02:44

question was seen: 2,617 times

last updated: 07 May '13, 03:03

p​o​w​e​r​e​d by O​S​Q​A