Hello. We have several computers, that is running wireshark and sniffin data packets for us to send to a large Phone Company. But each day i have to login to these machines, and manually upload the files to our FTP server... and these machines are so slow! Isnt there a build-in uploader in wireshark, or can someone recommend a 3. party software? I need the software to upload ONLY files that have been completed (200MB) and delete them afterwards. Please help me out :) asked 11 Jul '13, 01:58  ksl |
One Answer:
Some answers.
To be able to name some, please tell us what communication protocols are available for the upload (FTP, HTTP, HTTPS, ssh, anything else). What is your OS on the capturing machine? BTW: How do you capture the traffic? With dumpcap and ring-buffers or with Wireshark/tshark? UPDATE: As you systems are Windows (XP and 7), here are some recommendations how to automate the upload. First use a File/Folder monitoring tool to detect changes in a directory (newly added capture files).
Then use a scripted FTP client (or a custom batch script) to upload the files. The tricky part is to detect the "finished/completed" capture files, that are ready for an upload. That depends on how those files are being generated (dumpcap, tshark, Wireshark). Together with a batch script it should be possible to retrieve only those files with an older 'last write' date. But that's a question you better ask in a windows batch programming forum. UPDATE 2: As you requested an easier solution, here we go. Try the following software According to the product features, it has all you need to automate the capture file upload. A quick review on my test system looks promising. UPDATE 3: Here is the super simple solution ;-) While Wireshark/dumpcap writes to a capture file, the file is locked by the OS. You can use that in the following way.
Regards answered 11 Jul '13, 02:11  Kurt Knochner ♦ edited 12 Jul '13, 01:39 showing 5 of 17 show 12 more comments |
Hello.
I use WinXP and Win7 (both 32 bit).
It will be FTP upload.
About the last answer... i dont know - i have only been told to back these up each day, im not working with this normally... But where can i see that? so that i can inform you.
Maybe just ask the one who set up the capture process, as this is essential for any automation.
see my UPDATE in the answer
There must be an easier way... im already stucked
easier? In terms of what?
stucked? Where?
I wrote a network forensic tool for automated trace file analysis, and what I do to check if dumpcap is still writing packets to a file is to try to open it for exclusive read access. If that fails, it's still in use. Maybe you can script something like this as well, or find a tool that can detect if a file is still in use.
commercial, internal use or free? :-)
Internal use only, sorry :-)
O.K. I understand. Anyway, what is the purpose of the tool, meaning what kind of analysis did you implement?
It is scanning network packets for indicators of infected systems, based on patterns we have seen in some of our cases. It's basically looking at layers above layer 4, ignoring the trivial stuff like nmap scans, invalid TCP flags etc. One example is looking at HTTP headers that are "funny" or inconsistent or connect to hosts on a list of known bad systems. Some of that can be done by parsing logs of course, but I prefer having full packet captures to see what is actually going on instead of looking at meta data in logs. Plus, a packet capture can be implemented without disturbing productive systems and is often faster to achieve than tracking down the guy who can give me access to tons of log files.
Sounds nice :-) Do you parse tshark output or do you read the pcap file directly?
@ksl:
see UPDATE 2 in my answer.
@Kurt: It reads trace files directly, preferably PCAPng, but it can also read pcap and Sniffer .enc/.cap files. The code is basically built upon a packet analysis framework written from scratch, not using any existing libraries. A lot of it is also used in TraceWrangler, which is available for free at http://www.tracewrangler.com
I got the script to Work... and i can monitor the files with the Directory monitor... But im stucked at getting it to upload the file, when the file is filled or a new one is created.
I want to upload the files, when the log is filled or a new one is created. Else it might upload an "corrupt" file (not yet completed file)
@ksl: See UPDATE 2 in my answer. With that tool, you can upload files that have not been 'touched' (written) today, which excludes the current file. A similar thing should be done with Directory Monitor. You need to figure out (with a script) if the reported file is still open (see the hint of @Jasper).
BTW: Were you able to figure out the capture process (how the files are being generated)? Maybe that will help as well.
@Jasper:
You like it the hard way, right ;-))
I'll have a look. Thanks.
@ksl: see my UPDATE 3 for a super simple solution.