Difference between revisions of "How to capture packets using wireshark"

From Kolmisoft Wiki
Jump to navigationJump to search
 
(20 intermediate revisions by 4 users not shown)
Line 1: Line 1:
==About==
<br><br>
Wireshark is the world's foremost network protocol analyzer.  
=About=
 
Wireshark is the world's foremost network protocol analyzer.
It lets you capture and interactively browse the traffic running on a computer network. [http://en.wikipedia.org/wiki/Wireshark more about Wireshark]
It let you capture and interactively browse the traffic running on a computer network.  
More information about Wireshark can be found [http://en.wikipedia.org/wiki/Wireshark here]
<br><br>
==Install==
==Install==
To install Wireshark put this command to Terminal:
To install Wireshark put this command to Terminal:


yum install Wireshark
yum -y install wireshark
<br><br>


==Usage==
==Usage==
=== Capture all traffic ===
After that you can use command:
After that you can use command:


tethereal -i eth0 -w /home/capture.pcap
tethereal -i eth0 -w /home/capture.pcap


To save a dump of packets.
'''Please note that in this example and other examples bellow we are using network interface eth0. When you run this command in your server, your interface can have other name (eth1, em1, etc), so you need to put your server actual interface name.'''
 
To save a dump of packets please stop capturing by pressing ctrl+c


Packets will be saved to directory /home/capture.pcap
Packets will be saved to directory /home/capture.pcap
Line 19: Line 25:
You can send captured file capture.pcap from your server and open with Wireshark GUI and analyse the packets.
You can send captured file capture.pcap from your server and open with Wireshark GUI and analyse the packets.


=== Capture only SIP traffic ===
If you have many calls, capturing all traffic will result in huge file after few minutes. Often, we are only interested in SIP traffic (which by default is sent/received on 5060 port), so to capture only SIP traffic you can use this command:
tethereal -i eth0 -w /home/capture.pcap port 5060
==== Capture SIP Traffic only for specific IP ====
tethereal -i eth0 -w /home/siptrace.pcap port 5060 and host 123.123.123.123
==== Capture SIP traffic on port 5060 and RTP traffic ====
tcpdump -i eth0 udp port 5060 or udp portrange 10000-20000 -s 0 -w capture.cap
==== Capture SIP traffic on port 5060 and RTP traffic into split files ====
tcpdump -i eth0 udp port 5060 or portrange 10000-20000 -s 0 -C 200 -Z root -w capture
==== Capture SIP traffic on port 5060 and RTP traffic for specific IP address ====
tcpdump -i eth0 port 5060 and host 192.168.0.192 or 192.168.0.8 or udp portrange 10000-20000 -s 0 -w capture.pcap
=== Capture traffic into split files ===
If complete traffic trace is needed, and you need to leave trace for a long time it is convenient to split trace into smaller files and cycle the files after certain amount of files, as otherwise Wireshark can take very long time or crash if we want to open very large file. This can be achieved using tcppdump -W and -C  options. -C specify size of file (in MB) and -W specify the file count after new files start overwrite old ones. For example, this command:
tcpdump -i eth0  -s 0 -C 200 -W 40 -Z root -w capture
This command will create a new file once current file reach 200MB and after 40 files will be created, news one will overwrite oldest one and so on, thus using max 200*40 = 8000MB of disk space.
To capture traffic from/to specific IP you can use this command:
tcpdump -i eth0 host 1.2.3.4 -s 0 -C 200 -W 40 -Z root -w capture
To capture only SIP traffic you can use this command:
tcpdump -i eth0  port 5060 -s 0 -C 200 -W 40 -Z root -w capture
== Additional notes ==
You can analyse network packets on real time on server using command:
You can analyse network packets on real time on server using command:


tshark
tshark
 
More options with command tshark you can find [http://www.wireshark.org/docs/wsug_html_chunked/AppToolstshark.html here].
 
<br><br>
= See also =


More options with command tshark you can find [http://www.wireshark.org/docs/wsug_html_chunked/AppToolstshark.html find here].
* [[PCAP does not show LegB of a call]]

Latest revision as of 08:43, 6 December 2022



About

Wireshark is the world's foremost network protocol analyzer. It let you capture and interactively browse the traffic running on a computer network. More information about Wireshark can be found here

Install

To install Wireshark put this command to Terminal:

yum -y install wireshark



Usage

Capture all traffic

After that you can use command:

tethereal -i eth0 -w /home/capture.pcap

Please note that in this example and other examples bellow we are using network interface eth0. When you run this command in your server, your interface can have other name (eth1, em1, etc), so you need to put your server actual interface name.

To save a dump of packets please stop capturing by pressing ctrl+c

Packets will be saved to directory /home/capture.pcap

You can send captured file capture.pcap from your server and open with Wireshark GUI and analyse the packets.

Capture only SIP traffic

If you have many calls, capturing all traffic will result in huge file after few minutes. Often, we are only interested in SIP traffic (which by default is sent/received on 5060 port), so to capture only SIP traffic you can use this command:

tethereal -i eth0 -w /home/capture.pcap port 5060

Capture SIP Traffic only for specific IP

tethereal -i eth0 -w /home/siptrace.pcap port 5060 and host 123.123.123.123

Capture SIP traffic on port 5060 and RTP traffic

tcpdump -i eth0 udp port 5060 or udp portrange 10000-20000 -s 0 -w capture.cap

Capture SIP traffic on port 5060 and RTP traffic into split files

tcpdump -i eth0 udp port 5060 or portrange 10000-20000 -s 0 -C 200 -Z root -w capture

Capture SIP traffic on port 5060 and RTP traffic for specific IP address

tcpdump -i eth0 port 5060 and host 192.168.0.192 or 192.168.0.8 or udp portrange 10000-20000 -s 0 -w capture.pcap

Capture traffic into split files

If complete traffic trace is needed, and you need to leave trace for a long time it is convenient to split trace into smaller files and cycle the files after certain amount of files, as otherwise Wireshark can take very long time or crash if we want to open very large file. This can be achieved using tcppdump -W and -C options. -C specify size of file (in MB) and -W specify the file count after new files start overwrite old ones. For example, this command:

tcpdump -i eth0  -s 0 -C 200 -W 40 -Z root -w capture

This command will create a new file once current file reach 200MB and after 40 files will be created, news one will overwrite oldest one and so on, thus using max 200*40 = 8000MB of disk space.

To capture traffic from/to specific IP you can use this command:

tcpdump -i eth0 host 1.2.3.4 -s 0 -C 200 -W 40 -Z root -w capture

To capture only SIP traffic you can use this command:

tcpdump -i eth0  port 5060 -s 0 -C 200 -W 40 -Z root -w capture

Additional notes

You can analyse network packets on real time on server using command:

tshark

More options with command tshark you can find here.



See also