Hi all, We are interested in developing a baseline for our network traffic between sites. This will be used to create port-based ACLs on the routers. In order to reduce the size of our captures, we are planning to use a capture filter to look for SYN packets. However, ideally the end-game is to have a list of ports for each site and therefore we only need ONE SYN packet for each IP address/port pair. I can massage the data after the capture, but I'm wondering if anyone has any advice of clever and easy ways to do this in Wireshark. Thanks, - Steve asked 30 Sep '10, 12:12  RSteveKadish |
One Answer:
This is something that Wireshark can't do, but fortunately, tshark can. Tshark is part of the CLI tools that are installed too when you install Wireshark. You can use the following: If you also would like to know from which IP's the traffic is coming from, you can use: And if you are interested in how often sessions are set up, just add "-c" at the end. If you would like to have a top 10 of destination host/ports, you can use: (if you use windows, these commands can be used within a cygwin shell, have a look at http://www.cygwin.com) answered 30 Sep '10, 12:54  SYN-bit ♦♦ |
Hi Sake,
Thanks very much! This is great info.
I already have a capture running with the tcp[0xd]&18=2 filter (because there simply isn't going to be enough disk space for a full capture.) So I assume that I should use the tshark syntaxes you provided and just leave out the -R option?
Thanks, - Steve
Sure thing, if the tracefile only contains the SYN-packets, it's not needed to filter for SYN-packets again :-)
Hi Sake,
I wanted to let you know that I played around with these commands (after a week of capturing) and they are extremely helpful. They will save me a lot of work by not having to massage the data manually.
Best, - Steve
Glad this worked for you! And thanks for the feedback :-)