At work I've been trying to setup a machine with the sole purpose of capturing traffic for later analysis.
Linux seemed like the best option since it required very little resources. I've tried tshark, dumpcap and tcpdump. With all 3 command line tools it displays packet drops as high as 20% (I'm assuming because the hardware can't handle the amount of traffic). So I tried with Windows and the number of dropped packets was 0...
Can anyone relate? Could this be the difference in libpcap and winpcap?
Test traffic (troughput and such) was the same.
Software used: Linux; Debian 7; libpcap v1.3.0-1; tshark v1.8.2-5; tcpdump v4.3.0-1 Windows; Windows XP SP3; winpcap v4.1.3; wireshark v1.10.2
asked 16 Oct '13, 03:49
Thanks for clearing that up. Would be logical to leave/display it at the statusbar. Anyway, without going off topic.
Has anyone ever experimented with pf_ring before ... ? Found this interesting article: Improving Passive Packet Capture: Beyond Device Polling
I was wondering if this could boost performance. It actually describes everything I experienced.
answered 17 Oct '13, 09:03
Problems arose on Raspbian and Debian. After better results on Ubuntu and near perfect results in Kali, I figure that's the problem.
Thanks for all the assistance.
answered 17 Oct '13, 07:16