Wireshark is a packet sniffer program that run on Linux machine (formerly known as Ethereal), and of course available to Windows as well. Basically it will record down what ever going through a specified port. To use it, you need to install the following packages:
- wireshark package: tools that do the sniffing.
- wireshark-gnome package: used to read the PCAP files created by wireshark (not sure whether can run in KDE or got KDE version or not).
- libsmi package: library required to install wireshark.
After everything is installed, you can execute wireshark using tshark command:
It will output a live packet sniffing to the terminal, however it is not much usage for this case. The following command is to run tshark in daemon mode and save the PCAP files in a specified location:
tshark -q -i eth0 -b files:80 -b filesize:10000 -w /root/trace/trace -x -t ad port 80
q: quiet mode or daemon mode
i: network interface
b: ring buffer option, which means it can set to save the data in multiple files in a mary go round pattern. files means how many files to save, filesize means maximum size of 1 single file (in KB)
w: file path where the PCAP file saved, aware that file number will be append to the file name when it is saved to multiple files.
x: tell wireshark to save the hex and ACSII dump
t: time format, ad means absolute date and time
port: which port to be sniffed
While to read the PCAP file, you need to be in Gnome Desktop and execute wireshark command:
A wireshark GUI program will appear, and all you need to do is open the PCAP file that you want to read.
This is the wireshark Startup Script (change the filename from wireshark.doc to wireshark), copy it to /etc/init.d and issue
chkconfig --add wireshark to add it into services.