On 11/1/2011 3:41 PM, Guy Harris wrote:
On Nov 1, 2011, at 12:22 PM, Chip wrote:
Question: when using dumpcap to write to a file, is there a switch for viewing the data on the monitor as it writes to file?
What do you mean by "viewing the data"? Dumpcap has no switch to dump out the raw contents of the bytes in the packet as hex or ASCII, and will *never ever* have a switch to view the packets as dissected - one of the reasons why dumpcap *exists* is *not* to have any capability to dissect packets, so that, if a program has to run with special privileges in order to capture network traffic, there's a limited amount of code running with those privileges, and thus a limited amount of code that has to be considered "safe". Wireshark and TShark run dumpcap to capture traffic; running Wireshark or TShark with any special privileges would be foolish. (Yes, this means "don't run Wireshark or TShark as root.")
If you want to see dissected versions of the packets as they're captured, use TShark with the -S flag.
And alas, if I only want to capture the ip addresses of the two endpoints to the conversation along with timestamp, what would be the proper filter to use?
What do you mean by "only want to capture the ip addresses of the two endpoints"? If you mean you only want to capture traffic between two particular known-by-IP-address endpoints, you'd want a capture filter of
host {IP address 1} and {IP address 2}
Hi Guy and thank you for clearing some of that up.
From what you wrote I gather you mean that because of privileges,
dumpcap cannot write to a monitor, in real time, the content (whether
hex, ascii or text) of the captured packets?
To clear up what I said about "only want to capture the ip addresses of
the two endpoints", I mean I only want to collect the endpoint ip
addresses along with time stamp -- not interested in any other data that
dumpcap may collect.
The purpose of the project is to capture the domain names of visited
websites whilst using a passive tap inline, so it is impossible to
determine beforehand the sites that will be visited by users. We are
not interested in ftp, smtp, etc., traffic and only interested in the ip
addresses of the domains visited for websites. I understand that Tshark
may have a more robust filtering schema but dumpcap uses less memory and
this project will be collecting over many days so Tshark with it's
larger memory footprint may not be as good as dumpcap.
Thank you.
Since dumpcap (from what I gather you wrote) cannot display to the
monitor it's activity in real time other than total packet count