Re: How to use a "wireshark sniffer PC" to capture ftp flows between 2 terminals located on 2 # sub-networks ?

[Jaap Keuter <jaap.keuter () xs4all nl>]

Alain,

Go for dumpcap please. If you only need to capture dumpcap is the way to go.
What's the difference you ask? Tshark, like Wireshark, tries to do dissection.
This build up state, e.g. take up more and more memory. This eventually kills
the process. dumpcap on the other hand just does capture and writes to disk.
If you use the circular buffer options, like some many files or such and such
size (choose wisely depending on conditions and needs) you can have this running
all the time.

Thanks,
Jaap

PS: Tim, be careful recommending tshark in such situations. Go for the least
impact option.


On 03/04/2013 03:07 PM, AMEAUME, ALAIN (ALAIN)** CTR ** wrote:
>  Thanks Tim: i will check about tshark running on each servers: i need first to find the right package to install on 
> my 2 RHEL 5.4 hosts OS.
>
> Alain AMÉAUME
> Afin de contribuer au respect de l'environnement, merci de n'imprimer ce courriel que si c'est vraiment nécessaire.
> Please consider the Environment before printing this mail. 
>
> -----Message d'origine-----
> De : wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] De la part de 
> Tim.Poth () bentley com
> Envoyé : lundi 4 mars 2013 14:40
> À : wireshark-users () wireshark org
> Objet : Re: [Wireshark-users] How to use a "wireshark sniffer PC" to capture ftp flows between 2 terminals located on 
> 2 # sub-networks ?
>
> Personally if I was remote I would run try running dumpcap or tshark on the server(s) (the non-gui tools are lower 
> overhead). There are cases where the load of running on the server will cause problem for the server (took a sql 
> server down one time doing this) in those cases you will have to get someone local to 'tap' in using one of the 
> methods on the wiki. For these types of situations in the past my company has built a box using a turbocap card and 
> shipped it to a client's site to do captures. We give them the login info and got them to upload the data to us. When 
> the issue was resolved we had them ship the box back to us.
> Every situation is different, try different things until you find one you like / works.
>
> -----Original Message-----
> From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of 
> AMEAUME, ALAIN (ALAIN)** CTR **
> Sent: Friday, March 1, 2013 11:15 AM
> To: Community support list for Wireshark
> Subject: Re: [Wireshark-users] How to use a "wireshark sniffer PC" to capture ftp flows between 2 terminals located 
> on 2 # sub-networks ?
>
> Thanks a lot for the info: i decide to insert a hub to simplify my cx -> so that I see all traffic which are 
> broadcasted over any ports.
>
> Still asking who to do if i'm very far from the hostA & B? and connected myself on a remote subnet ? maybe using the 
> remote mirroring ? but for that i need user account to activate mirror session over switches ! ?
>
> Anyhow, thanks all for your help.
>
> Alain AMÉAUME
>
>
> -----Message d'origine-----
> De : wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] De la part de 
> Tim.Poth () bentley com Envoyé : vendredi 22 février 2013 15:26 À : wireshark-users () wireshark org Objet : Re: 
> [Wireshark-users] How to use a "wireshark sniffer PC" to capture ftp flows between 2 terminals located on 2 # 
> sub-networks ?
>
> There are lots of options for doing this, you might want to start by looking at this 
> http://wiki.wireshark.org/CaptureSetup/Ethernet#Switched_Ethernet
>
> You could do the route option but that seems to add a lot of complexity and will change your packet flow which may 
> work against why you are capturing in the first place.
>
> Hope that helps
>
>
> -----Original Message-----
> From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of 
> AMEAUME, ALAIN (ALAIN)** CTR **
> Sent: Friday, February 22, 2013 8:55 AM
> To: Community support list for Wireshark
> Subject: [Wireshark-users] How to use a "wireshark sniffer PC" to capture ftp flows between 2 terminals located on 2 
> # sub-networks ?
>
> Hi users,
>
> I'm interesting to know how to insert my PC laptop with wireshark as a" PC sniffer" between 2 terminals to capture 
> ftp flows between them:
>
> terminal "A" in sub-network x.y.A.1
> terminal "B" in sub-network x.y.B.1
> my PC laptop "C" on sub-network x.y.A.2 or x.y.B.2
>
> using this configuration, I do not need to install wireshark on A & B !
>
> I suppose that on "A" terminal I need to create a route from A.1 to B.1 passing thru "C", the same relatively to "B", 
> then I will need also to declare on my laptop "C" a kind of "gateway" function to re-route the ftp flow, after 
> capture, to its original destination  Is it what we call the NAT function on "C": and how to do it on the "C" laptop 
> windows xp sp3 ?
>
> Thanks for your help.
>
> Alain

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe