Greetings Wireshark Wizes! Tonight I downloaded the tool and read through some of the documentation. Without tunneling too much further, I wanted to see if the pros think there is gold at the end of my tunnel. What I'm looking for is this: A background TCP monitoring program that will alert me and run a script when a certain IP sends me a packet, or when a certain packet is received regardless of the source. Based on playing around with Wireshark for 5 minutes, it should have NO problem observing and filtering traffic to find what I'm looking for. However, I'm having a hard time seeing how you would run a script when a certain packet is received. In the documentation(5.7.4) I see it is possible to export filtered data to a C array (although I don't see where it explains how to do that). Could the data be constantly streamed to some buffer location where I can sort through it using another program? I play around with a script building program called AutoHotkey, so if I could read the packet information with AutoHotkey, my problems would be solved. What do you think? Is this the right place for me? If not, does anyone have any recommendations? Thanks! JD asked 03 May '13, 02:44 Zoroaster |
2 Answers:
Hi JD, wireshark is NOT the tool for your purpose. Wireshark is great as an analyzer, but not good as a monitoring tool, as it keeps state of session for doing further analysis. This means you will run out of memory doing long term capturing. You can use dumpcap (included with wireshark) for long-term capturing and use a ringbuffer of X files to make your harddrive not fill up. I have used this setup for months in a row. You can then write a script that processes each completed file (with tshark for instance) to see whether there is a packet of interest and based on the result fire another script. The big questions are: - how much traffic do you need to keep up with - how soon must you be notified after the packets of interest were seen Answer to these questions will determine the sizing of the box needed and the parameters for dumpcap to make this happen. In short, wireshark itself is not the tool for you, but the accompanied dumpcap and tshark and a little scripting can do the trick. answered 03 May '13, 02:57 SYN-bit ♦♦ |
A combination of ngrep and some scripting might be the better tool for you.
BTW: What are your trying to do? Why do you need to capture a packet with a sniffer that is sent to your system or an application on your system? Wouldn't it be easier to handle that packet in the application?!? Regards answered 03 May '13, 03:16 Kurt Knochner ♦ |
Thanks guys for the fast response! I got swamped with other projects, so this will have to wait for a while, but thanks for saving me a bunch of time, and pointing me in some new directions. When I get a chance, I'll followup with y'alls suggestions/questions. thanks! JD