CODEWITHSUNDEEP
network-programmingtcpwiresharkethernettshark
Chander Shivdasani
Chander Shivdasani

Reputation: 10131

Sniffing packets using tshark

I have 2 servers(serv1,serv2) that communicate and i'm trying to sniff packets matching certain criteria that gets transferred from serv1 to serv2. Tshark is installed on my Desktop(desk1). I have written the following script:

while true; do
tshark -a duration:10 -i eth0  -R "(sip.CSeq.method == "OPTIONS") && (sip.Status-Code) && ip.src eq serv1" -Tfields -e sip.response-time > response.time.`date +%F-%T`
 done

This script seems to run fine when run on serv1(since serv1 is sending packets to serv2). However, when i try to run this on desk1, it cant capture any packets. They all are on the same LAN. What am i missing?

Upvotes: 0

Views: 1241

Answers (3)

Mike Pennington
Mike Pennington

Reputation: 43097

Assuming that either serv1 or serv2 are on the same physical ethernet switch as desk1, you can sniff transit traffic between serv1 and serv2 by using a feature called SPAN (Switch Port Analyzer).

Assume your server is on FastEtheret4/2 and your desktop is on FastEthernet4/3 of the Cisco Switch... you should telnet or ssh into the switch and enter these commands...

4507R#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.

4507R(config)#monitor session 1 source interface fastethernet 4/2

!--- This configures interface Fast Ethernet 4/2 as source port.

4507R(config)#monitor session 1 destination interface fastethernet 4/3

!--- The configures interface Fast Ethernet 0/3 as destination port.



4507R#show monitor session 1
Session 1
---------
Type : Local Session
Source Ports :
Both : Fa4/2
Destination Ports : Fa4/3


4507R#

This feature is not limited to Cisco devices... Juniper / HP / Extreme and other Enterprise ethernet switch vendors also support it.

Upvotes: 2

Adrian Cornish
Adrian Cornish

Reputation: 23896

How about using the misnamed tcpdump which will capture all traffic from the wire. What I suggest doing is just capturing packets on the interface. Do not filter at the capture level. After you can filter the pcap file. Something like this

tcpdump -w myfile.pcap -n -nn -i eth0

Upvotes: 1

Jake Feasel
Jake Feasel

Reputation: 16945

If your LAN is a switched network (most are) or your desktop NIC doesn't support promiscuous mode, then you won't be able to see any of the packets. Verify both of those things.

Upvotes: 0

Related Questions