LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Analysing libpcap capture files automatically/CLI (https://www.linuxquestions.org/questions/linux-networking-3/analysing-libpcap-capture-files-automatically-cli-911819/)

daljian 11-04-2011 06:15 AM
Analysing libpcap capture files automatically/CLI
 
Hi,
I've been coming here many times looking for answers, and it's proven to be a really useful source of information.

Now I have a question on my own which I'm hoping you guys have some ideas about :)

Really, what I want to do is to capture network traffic continuously so that I keep a day or so of traffic which can be analysed manually.

In addition to this, if I'm looking for something in particular. Ie, I want to find a SIP packages containing a specific header value or something else.
Basically, what I would normally use as display filter in wireshark I want to be able to do in a command line way to see if filter will show zero or more packages.

A bonus would be if I could get text representation of packages that are matched, but that should not be needed.

Any ideas?

BR
Göran

daljian 11-04-2011 08:29 AM
Hi,
I found that tshark can do what I need.
It supports display filters with the -R flag as the example below.

tshark -R "http.proxy_connect_host == "id.google.com"" -r /tmp/sample.pcap

daljian 11-08-2011 04:38 AM
End result in case someone is interested.

Code:
#!/bin/bash
#
# Configuration
#
#This script allows you to do an automated analysis based on display filter.

#path to save trace
TRACES_DIR=/tmp


HOSTNAME=`hostname`
FILE_NAME="${TRACES_DIR}/traffic_${HOSTNAME}.cap"
FILE_FILTER="${TRACES_DIR}/traffic_${HOSTNAME}*.cap"

#intervals in seconds
CAPTURE_INTERVAL=10
#Keep Analyse interval less than capture interval
let "ANALYSE_INTERVAL=${CAPTURE_INTERVAL} - 1"

#Ie, if you want to save all capture files that has to do with
# http traffic containing the phrase "tbg.nu" you can use the below
# For more on display filters, please have a look at:
# http://www.wireshark.org/docs/dfref/
DISPLAY_FILTER="http contains tbg.nu"
CAPTURE_FILTER="port 80"
MATCH_CRITERIA=".*"
MATCH_ACTION="/bin/gzip"
NO_MATCH_ACTION="/bin/rm"

function analyse
{
        capture_file=$(ls -tr ${FILE_FILTER} | tail -2 | head -1)
        number_of_captures=$(ls ${FILE_FILTER} | wc -l)
        chmod 666 $capture_file
        if [ ! ${capture_file}0 = "0" -a ${number_of_captures} -gt 1 ]; then
                matches=$(tshark -R "${DISPLAY_FILTER}" -r ${capture_file} | grep -c -e"${MATCH_CRITERIA}")
                if [ $matches -gt 0 ]; then
                  $MATCH_ACTION $capture_file
                else
                  $NO_MATCH_ACTION $capture_file
                fi
        fi
}
function capture
{
        #Let's capture
        # tcp dump version: tcpdump -s 0 -C 12 -W 10  -i any -w /tmp/traffic
        sudo tshark -i any -b duration:${CAPTURE_INTERVAL} -w $FILE_NAME $CAPTURE_FILTER > /dev/null 2>&1
}
function checkroot
{
        if [ "$(id -u)" != "0" ]; then
                echo "This script must be run as root" 1>&2
        exit 1
fi
}


## Script start
checkroot
capture &
while [ true ]
do
  sleep ${ANALYSE_INTERVAL}
  analyse
done

exit 0


All times are GMT -5. The time now is 07:54 PM.