This other post describe a more elegant way how to do the job tshark in network troubleshooting
Origin post:
One of the tool that a network engineers relay every day is a network sniffer. One of the most famous I believe is the 'tcpdump'.
Very often when you troubleshoot a problem you run it many time to verify the traffic on the wire. Let say that at some point you see where the problem may be and you need to sent an email with your analyze to another person.
Documenting your results can be very time consuming. To minimize our time and increase the quality of the results we would like to attach the dump files we review ourself of course. Unfortunately it can be a little annoying if we need to repeat our troubleshooting again only to save the dumps on the disk this time. Often sending the analyzed text output form tcpdumps is not enough as well.
This small tcpdump wrapper bellow can save you a lot of time by saving the tcpdump data to file and still letting you to follow the data on the screen in a live troubleshooting.
For couple of examples how to run in please scroll down.
The file with source code can be found here mytcpdump.sh
# you can define the filter and options in your bash variables
# example:
# T_FILTER='arp or icmp or not ip ( net 10.0.0.0/8 )
# T_OPTIONS='-s0 -nn'
# ------------------------------------------
# arg1 - filter to the wireshark
# arg2 - options to wireshark
mytcpdump () {
# parse args
DEFAULT_OPT='-s0 -l -nn -w - -i any'
if [ 'x-h' = x"$1" ] ; then
echo
echo "usage: mytcpdump [arg1] [arg2]"
echo " arg1 - wireshark network filter, by example: 'arp and (net 10/8)'"
echo " arg2 - wireshark options, default: '$DEFAULT_OPT'"
echo ""
echo " example:"
echo " mytcpdump"
echo " mytcpdump '(net 10.0.0.0/8 and not net 11.0.0.0/8) and port 22'"
echo " mytcpdump '(net 10.0.0.0/8 and not net 11.0.0.0/8) and port 22' '-s0 -l -nn -i eth0 -w -' "
echo
return
fi
# filters
if [ '1' != 1"$1" ] ; then
filter="$1"
elif [ '2' != 2"$T_FILTER" ]; then
filter=$T_FILTER
else
filter=""
fi
# options
if [ '1' != 1"$2" ] ; then
opts="$2"
elif [ '2' != 2"$T_OPTIONS" ]; then
opts=$T_OPTIONS
else
opts="$DEFAULT_OPT"
fi
t=`date +%s`;
echo "[$t]: timestamp is $t"
echo "[$t]: wireshark optoins are <$opts>"
echo "[$t]: wireshark filter is <$filter>"
cmd="tcpdump $opts $filter"
echo "[$t]: tcpdump cmd is <$cmd>"
f="/var/tmp/tcpdump.$t.pcap"
echo "[$t]: tcpdump pcap file <$f>"
chain="$cmd | tee $f | tcpdump -r- -nn"
echo "[$t]: running the bash command chains <$chain>"
$cmd | tee $f | tcpdump -r- -nn
}
alias myt='mytcpdump'
Usage help
# myt -h usage: mytcpdump [arg1] [arg2] arg1 - wireshark network filter, by example: 'arp and (net 10/8)' arg2 - wireshark options, default: '-s0 -l -nn -w - -i any' example: mytcpdump mytcpdump '(net 10.0.0.0/8 and not net 11.0.0.0/8) and port 22' mytcpdump '(net 10.0.0.0/8 and not net 11.0.0.0/8) and port 22' '-s0 -l -nn -i eth0 -w -'
Examples:
These 2 examples bellow show how to use this small wrapper. Each time we can monitor live traffic on the console output from tcpdump and in the same time be sure that a copy of the raw tcpdump data is written to the disk.
The file you may want to copy then later is shown at the beginning after the header '[timestmap]'. In our examples the file names are:
/var/tmp/tcpdump.1301166859.pcap /var/tmp/tcpdump.1301166869.pcap
# myt [1301166859]: timestamp is 1301166859 [1301166859]: wireshark optoins are <-s0 -l -nn -w - -i any> [1301166859]: wireshark filter is <> [1301166859]: tcpdump cmd is <tcpdump -s0 -l -nn -w - -i any > [1301166859]: tcpdump pcap file </var/tmp/tcpdump.1301166859.pcap> [1301166859]: running the bash command chains <tcpdump -s0 -l -nn -w - -i any | tee /var/tmp/tcpdump.1301166859.pcap | tcpdump -r- -nn> tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes reading from file -, link-type LINUX_SLL (Linux cooked) 19:14:19.837101 IP 192.168.43.111 > 212.77.100.101: ICMP echo request, id 42106, seq 5396, length 64 ^Ctcpdump: pcap_loop: error reading dump file: Interrupted system call 4 packets captured 6 packets received by filter 0 packets dropped by kernel # myt 'icmp or arp' [1301166869]: timestamp is 1301166869 [1301166869]: wireshark optoins are <-s0 -l -nn -w - -i any> [1301166869]: wireshark filter is <icmp or arp> [1301166869]: tcpdump cmd is <tcpdump -s0 -l -nn -w - -i any icmp or arp> [1301166869]: tcpdump pcap file </var/tmp/tcpdump.1301166869.pcap> [1301166869]: running the bash command chains <tcpdump -s0 -l -nn -w - -i any icmp or arp | tee /var/tmp/tcpdump.1301166869.pcap | tcpdump -r- -nn> tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes reading from file -, link-type LINUX_SLL (Linux cooked) 19:14:29.847649 IP 192.168.43.111 > 212.77.100.101: ICMP echo request, id 42106, seq 5406, length 64 ^C2 packets captured 2 packets received by filter 0 packets dropped by kernel tcpdump: pcap_loop: error reading dump file: Interrupted system call
Posts
No comments:
Post a Comment