A reader recently asked for my opinion on building a server to be dedicated to network traffic capturing with Wireshark. While Wireshark is an excellent packet analysis application, its graphical interface is quite demanding on system resources (memory in particular) and is intended for use only in low-throughput environments or offline packet analysis (where packets are read from a file on disk).
For persistent traffic collection, such as that performed by an IDS/IPS, many people opt to use the popular packet capture utility tcpdump. The Alternatively, the Wireshark package includes a very small command line utility (less than one tenth the size of tcpdump) called dumpcap. I explained in the article Sniffing with Wireshark as a Non-Root User that Wireshark relies on the dumpcap executable for its core packet capturing functionality, with more complex features offloaded to the Wireshark GUI and tshark. In fact, the Wireshark capture options dialog pictured below is primarily a wrapper for arguments passed to dumpcap.
dumpcap can be run independently from Wireshark to capture packets to a file or series of files on disk, and makes for an efficient long-term capture solution. Further, like tcpdump, it is built on the libpcap library and uses the same capture filter syntax.
We can start a very basic packet capture by invoking dumpcap with the command below.
-i eth0 specifies the capture interface and
-w packets.cap specifies the name of the capture file to be written. Ctrl-C terminates the capture cleanly.
$ dumpcap -i eth0 -w packets.cap File: packets.cap Packets: 625 Packets dropped: 0 $ ls -lh packets.cap -rw------- 1 stretch stretch 942K 2011-03-07 15:48 packets.cap
Now we have a 942 KB capture file that we can open in Wireshark for analysis at our leisure.
Of course, if we intend to capture gigabytes of data, a single file becomes too unwieldy to manage. We can tell dumpcap to begin writing a new file every time the current file reaches a given size (in kilobytes). The filename given will be appended with a serial number and timestamp to ensure uniqueness.
$ dumpcap -b filesize:10000 -w packets.cap File: packets_00001_20110307155841.cap Packets: 7788 File: packets_00002_20110307155904.cap Packets: 17887 File: packets_00003_20110307155921.cap Packets: 25950 File: packets_00004_20110307155933.cap Packets: 33861 File: packets_00005_20110307155941.cap Packets: 41583 File: packets_00006_20110307155949.cap Packets: 46751 Packets dropped: 0 $ ls -lh total 56M -rw------- 1 stretch stretch 9.8M 2011-03-07 15:59 packets_00001_20110307155841.cap -rw------- 1 stretch stretch 9.8M 2011-03-07 15:59 packets_00002_20110307155904.cap -rw------- 1 stretch stretch 9.8M 2011-03-07 15:59 packets_00003_20110307155921.cap -rw------- 1 stretch stretch 9.8M 2011-03-07 15:59 packets_00004_20110307155933.cap -rw------- 1 stretch stretch 9.8M 2011-03-07 15:59 packets_00005_20110307155941.cap -rw------- 1 stretch stretch 7.1M 2011-03-07 16:00 packets_00006_20110307155949.cap
We can also use the
duration keyword in place of
filesize to specify a length of time (in seconds) to spend filling each file (for example, one hour, or 3600 seconds). And to avoid eventually filling the entire hard disk with capture files, we can include the
files parameter to set up a ring buffer: Once the maximum number of files have been saved, the oldest file is deleted and a new empty file is created in its place. The example below shows how we can instruct dumpcap to maintain a rotating record of the last 24 hours worth of traffic:
$ dumpcap -i eth0 -b duration:3600 -b files:25 -w packets.cap
As I mentioned earlier, we can also specify a libpcap filter to restrict the types of traffic captured by dumpcap. For example, the following command captures only DNS traffic destined to or coming from 126.96.36.199:
$ dumpcap -i eth0 -f "host 188.8.131.52 and udp port 53" -w dns.cap
A full description of libpcap filter syntax is available in the libpcap-filter manpage.