vicker313 tech blog

January 28, 2010

Wireshark the Packet Sniffer in Linux

Filed under: Linux — Tags: , — vicker313 @ 7:56 am

Wireshark is a packet sniffer program that run on Linux machine (formerly known as Ethereal), and of course available to Windows as well. Basically it will record down what ever going through a specified port. To use it, you need to install the following packages:

  1. wireshark package: tools that do the sniffing.
  2. wireshark-gnome package: used to read the PCAP files created by wireshark (not sure whether can run in KDE or got KDE version or not).
  3. libsmi package: library required to install wireshark.

After everything is installed, you can execute wireshark using tshark command:

tshark

It will output a live packet sniffing to the terminal, however it is not much usage for this case. The following command is to run tshark in daemon mode and save the PCAP files in a specified location:

tshark -q -i eth0 -b files:80 -b filesize:10000 -w /root/trace/trace -x -t ad port 80

q: quiet mode or daemon mode

i: network interface

b: ring buffer option, which means it can set to save the data in multiple files in a mary go round pattern. files means how many files to save, filesize means maximum size of 1 single file (in KB)

w: file path where the PCAP file saved, aware that file number will be append to the file name when it is saved to multiple files.

x: tell wireshark to save the hex and ACSII dump

t: time format, ad means absolute date and time

port: which port to be sniffed

While to read the PCAP file, you need to be in Gnome Desktop and execute wireshark command:

wireshark

A wireshark GUI program will appear, and all you need to do is open the PCAP file that you want to read.

This is the wireshark Startup Script (change the filename from wireshark.doc to wireshark), copy it to /etc/init.d and issue chkconfig --add wireshark to add it into services.

Advertisements

1 Comment »

  1. Hi, nice blog. I hope you can join our monthly blogging tournament.

    Comment by BlogMage.com — March 12, 2010 @ 4:39 pm


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: