Live Packet Capture in Wireshark With GNS3
Dynagen and its complementary GUI GNS3 provide the very handy ability to capture traffic sent between emulated devices. Packets are written to a capture file on disk, which can then be opened with a packet analyzer like Wireshark. The only downside to this is that the traffic does not appear live in the analysis application; the capture buffer is populated only with the pakcets which have been recorded up to that point.
In Wireshark, the contents of a capture file can be refreshed by pressing Ctrl+R, but this requires tedious manual intervention and navigating to the end of the buffer every time. After taking a clue from the Wireshark wiki I was able to modify the way in which Wireshark reads capture files generated by Dynagen/GNS3 and achieve a near-real-time view of the traffic, as if it was being sniffed from a physical interface. My solution should work on all UNIX-like systems (e.g. Linux), but Windows users will have to look elsewhere.
The trick is to continuously dump the capture file being written by Dynagen to standard output, which can be fed to Wireshark as standard input. Open the preferences dialog in GNS3 (Edit > Preferences...) and select capture preferences. Modify the default Wireshark command from /usr/bin/wireshark %c to read as follows. (Thanks to e36freak in #bash on Freenode for assistance manipulating the shell command to work in GNS3!)
tail --bytes=+0 -f %c | wireshark -k -i -
Also, check the option to automatically start the command when capturing.
Here's how the command works: The tail executable with the -f argument constantly outputs the content of the capture file as it is written. The --bytes=+0 bit instructs tail to begin from the first byte of the file. (This part is optional, but recommended to avoid "unknown libpcap format" errors in Wireshark.) The output of tail is piped to Wireshark. Wireshark's arguments instruct it to begin capturing immediately from standard input.
Now, Wireshark should start immediately after selecting a capture interface and its capture buffer should be updated nearly in real-time. Tail introduces a ~1-second delay, which can be tweaked with the -s argument if desired.
You might receive an error indicating that the capture file "is empty, no traffic captured on the link." This simply means that no packets were captured in the time between initiating the capture and starting Wireshark. Right-clicking on the interface in GNS3 again and selecting "Start Wireshark" a moment later should resolve it (assuming there is traffic flowing across the interface being captured).
The solution described here will also work using Dynagen alone: Simply execute the command above by hand, substituting %c with the appropriate file name.
About the Author
Jeremy Stretch is a networking engineer and the maintainer of PacketLife.net. He currently lives in the Raleigh-Durham area of North Carolina. Although employed full-time out of necessity, his true passion lies in improving the field of network engineering around the world. You can contact him by email or follow him on Twitter.
Comments
Well, technically it is Dynamips that creates the PCAP files (this part of code was written by Greg Anuzelli, who also wrote Dynagen).
Great idea!
Just install the tail for windows and follow the howto =)
Hello,
on linux, i use to attach links i want to sniff on in a tap device:
(as root) tunctl -u YourUsername
this creates a tapX device you can use.
Than attach that in the cloud and.. just sniff locally.
See ya ;)
Add star
sarath kumar
sarath296@gmail.com Wed, Apr 13, 2011 at 9:41 AM
To: no-reply@packetlife.net
Reply | Reply to all | Forward | Print | Delete | Show original
please send procedure for token bus,token ring ,packet
transmission,link state algorithm,distance vector routing
algorithm,goback N ARQ,selecitve rejectarq
This worked great with Ubuntu Desktop 10.10, GNS3 0.7.3 and Wireshark 1.2.11.
Thanks for another great article.
jeff
I am trying to do the same under windows, what I know now is that if I press CRTL+R I refresh the packet capture, but still not "real time capture".
Kind regards
hello All, recently my colleague told me that he tried SPAN or RSPAN for live Wireshark captures in GNS, he connected a router with switch module and directed traffic to loopback on his physical machine (his laptop) and got live captures, what do you think about it ?
Hi,
FYI, newer versions of GNS3 now support live traffic capture with Wireshark.
Jeremy, its awesome. Thats why I love linux!
thanks for the article. works like a charm
Nice article, I used to have the same problem in Windows which I wanted to capture packets on Wireshark from Dynagen in Windows.
Well, I don't know whether is there a better solution, here's how I did it:
Create 2 loopback adapters in Windows.
Then map the router interfaces in the network file to the loopback adapter:
R1 E0/0 -> Windows Loopback Adapter1
R2 E0/0 -> Windows Loopback Adapter2
We can then bridge the 2 loopback adapters in Windows and startup Wireshark to monitor these "real" interfaces while we generate traffic in Dynagen.
Hope this fill in the blanks for Windows users and they might not have to look elsewhere!