Wireshark-users: Re: [Wireshark-users] Need to record bandwidth used by branch office VPN tunnels

From: Stefan <netfortius@xxxxxxxxx>
Date: Tue, 13 Aug 2013 07:31:02 -0500
ntop suggestion is a good one, with the only note that I would suggest ntopng (http://www.ntop.org/ntop/ntop-is-back-ntopng-1-0-just-released/), moving forward (BTW, the syntax for reading a capture file using ntopng is "-i <file.cap>" (similar to reading out of an interface), not "-f <file.cap>")

***Stefan


On Mon, Aug 12, 2013 at 11:45 AM, Chad Dailey <wireshark@xxxxxxxxxxxxxxxxxxx> wrote:
If analysis does not have to happen in real time, perhaps using dumpcap or tcpdump to capture headers to a ring buffer with snaplen set to an appropriately small size, then analyze offline.  NTOP can also be used to look at captures for fancier graphical output.  Dumpcap can be run more or less continuously, as the simple capture with no dissection of streams does not involve the memory exhaustion associated with tshark or wireshark.

Rough outline:

dumpcap -b duration:3600 -s 128 -P -w vpncapture.pcap

This would capture 128 bytes of each packet, which will tell you what kind of traffic, where it's going, and how big it was, generally sufficient for rudimentary analysis.  The capture syntax above would write a file at the end of each hour with a timestamp, or you could use the 'filesize' parameter as a control instead.  Use rsync or another tool to fetch the capture files to an offline location for analysis, consider also the 'files' parameter to keep disk usage under control.

Use ntop's -f option to read in whatever file you wish for analysis.  To aggregate data before analysis, use mergecap.

ntop -f vpncapture.pcap




On Mon, Aug 12, 2013 at 11:13 AM, Gary Drost <gary@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Is it possible to have tshark run for a period of time, say an hour or two, and then stop.  It could be setup in a batch file to rename the output file and then relaunch tshark again.
 
My guess of a week worth of data was a bit arbitrary.  I really want to get a good benchmark on what is a normal amount of traffic so that I have a something to measure against when there the branch offices say the connection is slow or data so that I can recommend an option for a faster, larger pipe between sites.
 
Thanks,

Gary
 
Pioneer Consulting Services, Inc.
Cell: (360) 739-2491
email: gary@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 
 
 
-------- Original Message --------
Subject: Re: [Wireshark-users] Need to record bandwidth used
by branch office VPN tunnels
From: "Laura Chappell" <lchappell@xxxxxxxxxxxxxxxx>
Date: Fri, August 09, 2013 8:28 am
To: "'Community support list for Wireshark'"
<wireshark-users@xxxxxxxxxxxxx>

Oh, yeah... one week is a killer... I've run for just an hour at a customer
we didn't hit a snag.

Wouldn't it be best if tshark stopped saving the packets once the statistic
is obtained for the timeframe?

Laura

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sake Blok
Sent: Friday, August 09, 2013 8:16 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Need to record bandwidth used by branch
office VPN tunnels

On 9 aug 2013, at 03:05, Laura Chappell wrote:

> Consider using tshark (command-line tool) with the following parameters
perhaps.
>
> tshark -q -z
io,stat,3000,ip.addr==192.168.1.0/24,ip.addr==192.168.2.0/24,ip.addr==192.16
8.3.0/24 > mystats.txt
>
> No packets are saved during this process - you're only getting statistics.

Laura, this is not entirely true. As tshark uses dumpcap to capture the
traffic, dumpcap will save all the packets in a temporary file from which
tshark will read. To monitor the traffic for a week in this manner will
most likely result in a) an out-of-memory error due to the fact that tshark
keeps information about each conversation and b) a disk filling up with
packet data.

Cheers,
Sake