Wireshark mailing list archives

Re: Need to record bandwidth used by branch office VPN tunnels

From: Stefan <netfortius () gmail com>
Date: Tue, 13 Aug 2013 07:31:02 -0500

ntop suggestion is a good one, with the only note that I would suggest
ntopng (http://www.ntop.org/ntop/ntop-is-back-ntopng-1-0-just-released/),
moving forward (BTW, the syntax for reading a capture file using ntopng is
"-i <file.cap>" (similar to reading out of an interface), not "-f
<file.cap>")

***Stefan


On Mon, Aug 12, 2013 at 11:45 AM, Chad Dailey <wireshark () thedaileyplanet com

wrote:

If analysis does not have to happen in real time, perhaps using dumpcap or
tcpdump to capture headers to a ring buffer with snaplen set to an
appropriately small size, then analyze offline.  NTOP can also be used to
look at captures for fancier graphical output.  Dumpcap can be run more or
less continuously, as the simple capture with no dissection of streams does
not involve the memory exhaustion associated with tshark or wireshark.

Rough outline:

dumpcap -b duration:3600 -s 128 -P -w vpncapture.pcap

This would capture 128 bytes of each packet, which will tell you what kind
of traffic, where it's going, and how big it was, generally sufficient for
rudimentary analysis.  The capture syntax above would write a file at the
end of each hour with a timestamp, or you could use the 'filesize'
parameter as a control instead.  Use rsync or another tool to fetch the
capture files to an offline location for analysis, consider also the
'files' parameter to keep disk usage under control.

Use ntop's -f option to read in whatever file you wish for analysis.  To
aggregate data before analysis, use mergecap.

ntop -f vpncapture.pcap




On Mon, Aug 12, 2013 at 11:13 AM, Gary Drost <
gary () pioneerconsultingservices com> wrote:

Is it possible to have tshark run for a period of time, say an hour or
two, and then stop.  It could be setup in a batch file to rename the output
file and then relaunch tshark again.

My guess of a week worth of data was a bit arbitrary.  I really want to
get a good benchmark on what is a normal amount of traffic so that I have a
something to measure against when there the branch offices say the
connection is slow or data so that I can recommend an option for a faster,
larger pipe between sites.

Thanks,

Gary

 Pioneer Consulting Services, Inc.
Cell: (360) 739-2491
email: gary () pioneerconsultingservices com




-------- Original Message --------
Subject: Re: [Wireshark-users] Need to record bandwidth used
by branch office VPN tunnels
From: "Laura Chappell" <lchappell () packet-level com>
Date: Fri, August 09, 2013 8:28 am
To: "'Community support list for Wireshark'"
<wireshark-users () wireshark org>

Oh, yeah... one week is a killer... I've run for just an hour at a
customer
we didn't hit a snag.

Wouldn't it be best if tshark stopped saving the packets once the
statistic
is obtained for the timeframe?

Laura

-----Original Message-----
From: wireshark-users-bounces () wireshark org
[mailto:wireshark-users-bounces () wireshark org<wireshark-users-bounces () wireshark org>]
On Behalf Of Sake Blok
Sent: Friday, August 09, 2013 8:16 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Need to record bandwidth used by branch
office VPN tunnels

On 9 aug 2013, at 03:05, Laura Chappell wrote:

Consider using tshark (command-line tool) with the following parameters

perhaps.


tshark -q -z

io,stat,3000,ip.addr==
192.168.1.0/24,ip.addr==192.168.2.0/24,ip.addr==192.16
8.3.0/24 > mystats.txt


No packets are saved during this process - you're only getting

statistics.

Laura, this is not entirely true. As tshark uses dumpcap to capture the
traffic, dumpcap will save all the packets in a temporary file from which
tshark will read. To monitor the traffic for a week in this manner will
most likely result in a) an out-of-memory error due to the fact that
tshark
keeps information about each conversation and b) a disk filling up with
packet data.

Cheers,
Sake

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Re: Need to record bandwidth used by branch office VPN tunnels Gary Drost (Aug 12)
- <Possible follow-ups>
- Re: Need to record bandwidth used by branch office VPN tunnels Gary Drost (Aug 12)
- Re: Need to record bandwidth used by branch office VPN tunnels Gary Drost (Aug 12)
  - Re: Need to record bandwidth used by branch office VPN tunnels Chad Dailey (Aug 12)
    - Re: Need to record bandwidth used by branch office VPN tunnels Stefan (Aug 13)
  - OT HTML only mails Ralph J.Mayer (Aug 13)
- Re: Need to record bandwidth used by branch office VPN tunnels Gary Drost (Aug 12)
  - Re: Need to record bandwidth used by branch office VPN tunnels Forthofer Russ (Aug 13)