Remotely starting wireshark

Posted on 2014-02-14
Medium Priority
Last Modified: 2014-02-20
How can I start a capture due to a monitored threshold being met?
Question by:whroadmin
  • 2
LVL 41

Expert Comment

ID: 39861091
With wireshark comes tshark, the text variant.
You can remotely monitor a system for example:

ssh remote tshark -w file -i ethX not port 22

(Prevent port 22 from being monitored, and write to the local file 'file'
while monitoring ethX.   Port 22 would measure also the output of t-shark)..

Author Comment

ID: 39861518
I have two 1g circuits into my network. i have nogios and active monitor watching them for ddos attacks. Now, should they detect that the circuit went from 300Mbs to 998Mbs, they send me an alert, but i also want them to start a batch file that will start a wireshark capture. I have the bat file, i just need some way for it to be started by nagios or active monitor.
LVL 41

Accepted Solution

noci earned 1000 total points
ID: 39861555
tshark -w /var/log/tsharkfile.$(date +%Y%m%dT%H%M%S) -i ethX

Which will capture everything from then on.... ethX = eth0 or eth1 or whatever.
in the /var/log/tsharkfile.{start time}...

Now you will also need a means to stop it again after a while....

You may want to look into fail2ban to activly monitor & block network access.
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 1000 total points
ID: 39864676
nagios has the concept of an "event handler" - by enabling this, you can have it run a second script on trigger of warn or crit.


note - event handlers can be any command you wish (which is good!) but have a timeout after which the process will be killed - this is quite short (30s on my system) so you will want the command to fork the actual tshark process with nohup or similar rather than starting it directly and having it killed when nagios cleans up.

if you have gnu screen installed, you might want to consider using "screen -dmS <name> <command>" which will run the process in a detached screen session - which you can then join to to look at later with "screen -r"

Featured Post

WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Data security in the cloud is very much like a security in an on-premises data center - only without costs for maintaining facilities and computer hardware.
To share tips on how to stay ALERT and avoid being the next victim - at least not due to your own poor cyber habits and hygiene!
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question