Wireshark-users: Re: [Wireshark-users] Question

From: "Terry Martin" <tmartin@xxxxxxxxxxxxxxxx>
Date: Thu, 13 Nov 2008 13:13:58 -0500
Sake

I just reviewed the packet and I am going to need the IGMP information
which is the next 64 bytes.  

Is this going to be difficult?  Should I collect the entire packet? If
so is Dumpcap still the best?


Thanks

Terry Martin
TimeData Corporation
VP of Network Operation
East Coast Number:     212-644-1600 X3
West Coast Number     503-678-2224
Cell:                            503-318-8909
 
-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sake Blok
Sent: Thursday, November 13, 2008 8:54 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Question

On Thu, Nov 13, 2008 at 11:07:26AM -0500, Terry Martin wrote:
>    I am setting up Tshark to continuously collected information on a
network
>    connection 

If you want to capture continuously, dumpcap is a better choice as it
does not keep state of the packets it captures, it just writes them to
disk.

>    and store the information into a file very 15 minutes with the
>    name of the file being mm_dd_hh_mm.

With the -b duration:900 -w dump.cap, dumpcap would use a serial number
as well as a datetime string in the filename. It writes files like this:

Packets: 58 File: dump_00002_20081113174508.cap
Packets: 85 File: dump_00003_20081113174532.cap
Packets: 306 File: dump_00004_20081113174537.cap

(note that it does not create a new file when there were no packets
after switching to the next file)

Would that do?

>    I want this collection to only save
>    the header information

What do you mean by "header"? Just the ip-header? If so, you can use the
snaplength option to cut off after 14 (eth) + 20 (ip) = 34 octets
(assuming no extra IP options are used):

dumpcap -s 34

>    from all IP multicast traffic

Would that be a capture filter like "net 224.0.0.0 mask 224.0.0.0"

>    Is there a way I can setup Tshark to collect this information?  Can
anyone
>    give me any ideas how to set this up?

In short:

dumpcap -w dump.cap -i <int> -b duration:900 -s 34 "net 224.0.0.0 mask
224.0.0.0"

Hope this helps,
Cheers,
    Sake
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users