In help the 'tshark' that comes with the 'wireshark' packet sniffer comes handy to do the job in a simple and elegant way.
To capture all network packets and to write them to a file you would use a syntax similar to this one:
# tshark -nn -i any -w /tmp/net.pcap Running as user "root" and group "root". This could be dangerous. Capturing on Pseudo-device that captures on all interfaces 24
If you don't like the packet counter constantly being updated when tshark runs use the '-q' options like that:
# tshark -nn -i any -w /tmp/net.pcap.pcap -q
And finally when you want to observe the packet in live and in the same time have a raw copy of the network dump on your disk use the '-S' option like that:
# tshark -nn -i any -w /tmp/net.pcap.pcap -S Running as user "root" and group "root". This could be dangerous. Capturing on Pseudo-device that captures on all interfaces 0.000000 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request 0.028908 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request 0.297138 192.168.122.1 -> 192.168.122.255 UDP Source port: 17500 Destination port: 17500 1.036921 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request 2.045086 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request 5 packets captured
After all, when you are done with the troubleshooting and need to convenience someone you can sent him the saved file /tmp/net.pcap for review.
More info
man tshark
Posts
No comments:
Post a Comment