Search This Blog

Sunday, April 10, 2011

tshark in network troubleshooting

As described in another of my posts, there is not good and elegant way of printing on stdout and to a file the data captured on the wire when using 'tcpdump'.

In help the 'tshark' that comes with the 'wireshark' packet sniffer comes handy to do the job in a simple and elegant way.

To capture all network packets and to write them to a file you would use a syntax similar to this one:

# tshark -nn -i any -w /tmp/net.pcap
Running as user "root" and group "root". This could be dangerous.
Capturing on Pseudo-device that captures on all interfaces
24

If you don't like the packet counter constantly being updated when tshark runs use the '-q' options like that:

# tshark -nn -i any -w /tmp/net.pcap.pcap -q

And finally when you want to observe the packet in live and in the same time have a raw copy of the network dump on your disk use the '-S' option like that:

# tshark -nn -i any -w /tmp/net.pcap.pcap -S
Running as user "root" and group "root". This could be dangerous.
Capturing on Pseudo-device that captures on all interfaces
  0.000000    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) request
  0.028908    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) request
  0.297138 192.168.122.1 -> 192.168.122.255 UDP Source port: 17500  Destination port: 17500
  1.036921    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) request
  2.045086    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) request
5 packets captured

After all, when you are done with the troubleshooting and need to convenience someone you can sent him the saved file /tmp/net.pcap for review.

More info
man tshark

No comments:

Post a Comment