Title: Message
Yes. Do something like this:
tethereal -n -a filesize:10000 -b 20 -w
/your/output/files/go/here/capture.file.name -f "host <ip1> or host
<ip2>"
So
you'll see all traffic to AND from host "ip1" and you'll see all traffice to AND
from host "ip2". Since the traffic between these two hosts is okay, you
could rule out those streams by making the capture filter
longer:
-f
"(host <ip1> or host <ip2>) and not (host <ip1> and host
<ip2>)"
Anyway, this capture would run all the time, dumping the output into 20
files (-b 20), max size each is 10MB (-a filesize:10000), and it would write
them as "capture.file.name.NNN" in the directory
"/your/output/files/go/here". :-) Modify as
appropriate.
Now,
when you go to *read* the things, you can do one of two
things.
1) Stop the capture. Tethereal will rename all of the files
to a timestamp-based name. Use mergecap to make them one big capture file
(if you want) and load it up.
2) Don't bother stopping the capture. Just copy the files out
of the ring buffer and merge them, or use mergecap on them where they are (since
the originals are not modified), and load it up. You'll get errors about
the last packet in each file, since it'll probably be a partial
packet.
Do NOT
MOVE the files out of an active ring buffer. Ethereal keeps the files
open. If you move them, it'll really *@#& things up. Copying
them is fine. Moving them is bad.
Note
that I stuck the "-n" on the original capture to disable name resolution.
Don't worry. The name resolution stuff doesn't go in the capture files
anyway, so it's a waste to have tethereal looking up names at capture
time. Just have name lookups enabled when you go to read the files later
and you'll still see all of the names.
Hope
that helps!
--J
Is it possible to
filter only a few IP ranges (partners accessing the Intranet) with a name
resolution (partner name)?
This would allow
to monitor if authorized partner access only their authorized resources on the
Intranet.