Wireshark-users: Re: [Wireshark-users] How to use a "wireshark sniffer PC" to capture ftp flows b
From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Mon, 04 Mar 2013 20:51:16 +0100
Alain,

Go for dumpcap please. If you only need to capture dumpcap is the way to go.
What's the difference you ask? Tshark, like Wireshark, tries to do dissection.
This build up state, e.g. take up more and more memory. This eventually kills
the process. dumpcap on the other hand just does capture and writes to disk.
If you use the circular buffer options, like some many files or such and such
size (choose wisely depending on conditions and needs) you can have this running
all the time.

Thanks,
Jaap

PS: Tim, be careful recommending tshark in such situations. Go for the least
impact option.


On 03/04/2013 03:07 PM, AMEAUME, ALAIN (ALAIN)** CTR ** wrote:
>  Thanks Tim: i will check about tshark running on each servers: i need first to find the right package to install on my 2 RHEL 5.4 hosts OS.
> 
> Alain AMÉAUME
> Afin de contribuer au respect de l'environnement, merci de n'imprimer ce courriel que si c'est vraiment nécessaire.
> Please consider the Environment before printing this mail. 
> 
> -----Message d'origine-----
> De : wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] De la part de Tim.Poth@xxxxxxxxxxx
> Envoyé : lundi 4 mars 2013 14:40
> À : wireshark-users@xxxxxxxxxxxxx
> Objet : Re: [Wireshark-users] How to use a "wireshark sniffer PC" to capture ftp flows between 2 terminals located on 2 # sub-networks ?
> 
> Personally if I was remote I would run try running dumpcap or tshark on the server(s) (the non-gui tools are lower overhead). There are cases where the load of running on the server will cause problem for the server (took a sql server down one time doing this) in those cases you will have to get someone local to 'tap' in using one of the methods on the wiki. For these types of situations in the past my company has built a box using a turbocap card and shipped it to a client's site to do captures. We give them the login info and got them to upload the data to us. When the issue was resolved we had them ship the box back to us.
> Every situation is different, try different things until you find one you like / works.
> 
> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of AMEAUME, ALAIN (ALAIN)** CTR **
> Sent: Friday, March 1, 2013 11:15 AM
> To: Community support list for Wireshark
> Subject: Re: [Wireshark-users] How to use a "wireshark sniffer PC" to capture ftp flows between 2 terminals located on 2 # sub-networks ?
> 
> Thanks a lot for the info: i decide to insert a hub to simplify my cx -> so that I see all traffic which are broadcasted over any ports.
> 
> Still asking who to do if i'm very far from the hostA & B? and connected myself on a remote subnet ? maybe using the remote mirroring ? but for that i need user account to activate mirror session over switches ! ?
> 
> Anyhow, thanks all for your help.
> 
> Alain AMÉAUME
> 
> 
> -----Message d'origine-----
> De : wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] De la part de Tim.Poth@xxxxxxxxxxx Envoyé : vendredi 22 février 2013 15:26 À : wireshark-users@xxxxxxxxxxxxx Objet : Re: [Wireshark-users] How to use a "wireshark sniffer PC" to capture ftp flows between 2 terminals located on 2 # sub-networks ?
> 
> There are lots of options for doing this, you might want to start by looking at this http://wiki.wireshark.org/CaptureSetup/Ethernet#Switched_Ethernet
> 
> You could do the route option but that seems to add a lot of complexity and will change your packet flow which may work against why you are capturing in the first place.
> 
> Hope that helps
> 
> 
> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of AMEAUME, ALAIN (ALAIN)** CTR **
> Sent: Friday, February 22, 2013 8:55 AM
> To: Community support list for Wireshark
> Subject: [Wireshark-users] How to use a "wireshark sniffer PC" to capture ftp flows between 2 terminals located on 2 # sub-networks ?
> 
> Hi users,
> 
> I'm interesting to know how to insert my PC laptop with wireshark as a" PC sniffer" between 2 terminals to capture ftp flows between them:
> 
> terminal "A" in sub-network x.y.A.1
> terminal "B" in sub-network x.y.B.1
> my PC laptop "C" on sub-network x.y.A.2 or x.y.B.2
> 
> using this configuration, I do not need to install wireshark on A & B !
> 
> I suppose that on "A" terminal I need to create a route from A.1 to B.1 passing thru "C", the same relatively to "B", then I will need also to declare on my laptop "C" a kind of "gateway" function to re-route the ftp flow, after capture, to its original destination  Is it what we call the NAT function on "C": and how to do it on the "C" laptop windows xp sp3 ?
> 
> Thanks for your help.
> 
> Alain