Using tshark to generate traffic logs every X seconds

Posted by Sridhar Iyer on Server Fault See other posts from Server Fault or by Sridhar Iyer
Published on 2011-11-15T23:45:59Z Indexed on 2011/11/16 1:55 UTC
Read the original article Hit count: 520

Filed under:

wireshark

|

packet-analyzer

I'm trying to use tshark to maintain a running history of all the packets that are going through an interface, for say 30 seconds. I want it to be human readable.

This is a linux machine, and without mucking too much into the netstack source (which I can do if push comes to shove), I was wondering if I can use tshark to this.

tshark has a -b duration:10 -b files:2 which I can use to generate a rotating set of 2 files, but I don't know which format it is printing the file in or how to read it.

© Server Fault or respective owner

Related posts about wireshark

wireshark http POST

as seen on Server Fault - Search for 'Server Fault'
Hi I would like to have a http POST request method CAPTURE filter I know it is easy to do it by display filter http.request.method==POST but I need tcpdump compatible I wrote tcp dst port 80 and (tcp[13] = 0x18) But it is not perfect... tcp dst port 80 and (tcp[((tcp[12:1] & 0xf0) 2):4] =… >>> More
How to filter http traffic in Wireshark?

as seen on Server Fault - Search for 'Server Fault'
I suspect my server has a huge load of http requests from its clients. I want to measure the volume of http traffic. How can I do it with Wireshark? Or probably there is an alternative solution using another tool? This is how a single http request/response traffic looks in Wireshark. The ping is… >>> More
Wireshark is not capturing traffic through http://localhost:8888

as seen on Super User - Search for 'Super User'
Currently, my wireshark can capture traffic from http://localhost (traffic that is on port 80) but it won't capture traffic on localhost:8888 Is there any extra configuration/software that I need for wireshark to capture traffic of localhost on this port? I'm running Ubuntu 9.10 >>> More
Multi language support in wireshark

as seen on Super User - Search for 'Super User'
Do we have multiple language support with Wireshark. We are using Windows Xp SP2 and Ubuntu Linux environment. Actually we have a plugin which is UDP based and we have a requirement to Analyse the Information in Packet List Pane and Packet Details Pane to be viewed in other languages like French… >>> More
Saving Wireshark capture settings for future use

as seen on Server Fault - Search for 'Server Fault'
Is there any way to save Wireshark capture options? So it can be reuse after restart Wireshark. Also, if the saved file is in plain text, it's possible to use scripts generating bunch of capture settings, such with different filter setting. Does anyone know? Thanks. >>> More

Related posts about packet-analyzer

Localhost packet analyzer for Mac

as seen on Stack Overflow - Search for 'Stack Overflow'
Packet sniffers generally do not capture localhost traffic. I need to inspect some post data in a localhost environment (being generated from a Ruby on Rails development). Do you know of any programs that expose localhost packets? >>> More
Per Application Packet Analyzer

as seen on Stack Overflow - Search for 'Stack Overflow'
Is there any tool which can analyze network traffic per application? Wireshark does not have per application filtering, fiddler also does not give proper logging for any application. So can anyone please help me out to find an app which can analyze network traffic originating from a random application… >>> More
GUI tool for packet replay

as seen on Server Fault - Search for 'Server Fault'
Is there a freeware Windows/Linux GUI packet replay tool that has the advanced features of tcpreplay (http://tcpreplay.synfin.net/) or bittwist (http://bittwist.sourceforge.net)? I'm particularly interested in the following features: Open pcap files for editing and injecting into arbitrary network Change… >>> More
Ntop monitoring - Hosts visible with no SPAN/mirroring

as seen on Server Fault - Search for 'Server Fault'
I am attempting to use ntop to monitor traffic over a Cisco Catalyst switch. I was assuming that in order to see any of the traffic, I'd have to use monitor, as described here: http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml. Howver, before I did anything… >>> More
Using tshark to generate traffic logs every X seconds

as seen on Server Fault - Search for 'Server Fault'
I'm trying to use tshark to maintain a running history of all the packets that are going through an interface, for say 30 seconds. I want it to be human readable. This is a linux machine, and without mucking too much into the netstack source (which I can do if push comes to shove), I was wondering… >>> More