Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Remotely starting wireshark

Posted on 2014-02-14
4
Medium Priority
?
363 Views
Last Modified: 2014-02-20
How can I start a capture due to a monitored threshold being met?
0
Comment
Question by:whroadmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 40

Expert Comment

by:noci
ID: 39861091
With wireshark comes tshark, the text variant.
You can remotely monitor a system for example:

ssh remote tshark -w file -i ethX not port 22

(Prevent port 22 from being monitored, and write to the local file 'file'
while monitoring ethX.   Port 22 would measure also the output of t-shark)..
0
 

Author Comment

by:whroadmin
ID: 39861518
I have two 1g circuits into my network. i have nogios and active monitor watching them for ddos attacks. Now, should they detect that the circuit went from 300Mbs to 998Mbs, they send me an alert, but i also want them to start a batch file that will start a wireshark capture. I have the bat file, i just need some way for it to be started by nagios or active monitor.
0
 
LVL 40

Accepted Solution

by:
noci earned 1000 total points
ID: 39861555
tshark -w /var/log/tsharkfile.$(date +%Y%m%dT%H%M%S) -i ethX

Which will capture everything from then on.... ethX = eth0 or eth1 or whatever.
in the /var/log/tsharkfile.{start time}...

Now you will also need a means to stop it again after a while....

You may want to look into fail2ban to activly monitor & block network access.
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 1000 total points
ID: 39864676
nagios has the concept of an "event handler" - by enabling this, you can have it run a second script on trigger of warn or crit.

http://nagios.sourceforge.net/docs/3_0/eventhandlers.html

note - event handlers can be any command you wish (which is good!) but have a timeout after which the process will be killed - this is quite short (30s on my system) so you will want the command to fork the actual tshark process with nohup or similar rather than starting it directly and having it killed when nagios cleans up.

if you have gnu screen installed, you might want to consider using "screen -dmS <name> <command>" which will run the process in a detached screen session - which you can then join to to look at later with "screen -r"
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
What we learned in Webroot's webinar on multi-vector protection.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question