This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Help requested: Basic capture and statistics

0

Greetings!

I'm trying to answer a simple question: what's eating up my bandwidth on one machine? I would like to see a list of URLs or IP addrs and throughput for each one in a 24-hour period. I've been told that WireShark can do this, but I don't have the expertise to set this up properly (I'm an old techie but don't know much about comms).

Could I trouble someone to guide me on the settings required to do this, please? For example, I set "limit each packet" to 100 bytes, since I'll be capturing for 24 hrs, but I have no idea if this is enough -- or more than needed.

Thank you very much for any help, info, guidance, etc.!

Ariel

asked 13 Feb '15, 09:37

arielsfr's gravatar image

arielsfr
5115
accept rate: 0%

edited 13 Feb '15, 09:47


One Answer:

1

There are probably a few tutorials out there, so this should get you on the right track if you need to search for more info. I also assume you can find your way around a manual page and a command line.

We'll start at layer 1; I've got no idea about your network setup, but here you should be able to find info on how to define your capture point.

Now that we know where to capture we'll setup a capture session. Wireshark is perfectly capable of managing a capture, but doesn't do it itself. It spawns dumpcap to do the heavy lifting. All that Wireshark does is read the packets and analyses them. Now there's one thing to know about that, and that's that Wireshark keeps metadata on the all packets in memory. Now you understand why it can blow out of the water the beefiest machine: just capture more packets.

You already figured out that you can limit the amount of data by limiting the capture size. That's a good thing, but tricky, because you have to figure out how much to keep (trial and err come to mind). Also we don't want Wireshark to blow up in a long term capture/dissection session. Therefore we can launch the capture engine directly, keeping 'the shark at bay' for now.

Referring to the manual page you can work out the parameters to use to get 24h worth of capture data in reasonably sized capture files (plural), with reasonable amount of packets. There are other command line tools available to manipulate the capture files should there be any resizing done afterwards.

Now, assuming that you have reasonable sized capture files, you can load them in Wireshark and use the menu options found in the Analyse menu to get views of the data captured, eg. type of network traffic, IP addresses and HTTP analysis. When confronted with HTTPS, you can look at the DNS traffic to see what resolving is going on, presumably for HTTP.

So, these are some tips to do this using Wireshark. But is this the right tool for the job? Have you looked into something like ntop-ng for instance? It's using the same capture infrastructure down at layer 1 and 2, but does the analysis a whole lot better.

answered 14 Feb '15, 03:04

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Hello, Jaap,

Thank you very much for taking the time and trouble to explain this! It has helped a lot; it gave me a starting point from which to learn more.

Originally, I had tried nettop and iftop -- both excellent programs, but they only handle real-time transactions. That's when I asked a fellow OSX-user for help, and he suggested WireShark, which is what brought me here.

ntop-ng looks like it's exactly what I need, but unfortunately, I can't get it to work on my system. After doing some homework, I tried many different things, both *nix and Mac-specific, but haven't found anything satisfactory yet. As it stands now, I want to experiment with tcpdump for the capture, and see if I can find some statistics package to look at the results -- or, if absolutely necessary, write a few perl scripts (my time is very limited). I don't think I can get the stats I need with WireShark, but when the time comes, I can study the manual and find out for myself, now that it's no longer incomprehensible!

Again, thank you very much for your help! All the best-- Ariel

(23 Feb '15, 13:28) arielsfr

Good luck. If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(24 Feb '15, 22:52) Jaap ♦