regnauld at x0.dk
Wed Jul 2 08:06:49 UTC 2008
Marie-Paule UWASE (puwase) writes:
> is it possible, on a Linux box, to see what traffic traversed an
> interface at a certain time in the past?
Only if you've captured the data.
> I know tcpdump can do that by using the -w option to store it in a
> file and display it later
use tshark (part of wireshark, formerly known as ethereal)
with circular buffers instead, so it logs for example
10 files of 10 GB each, or 1 file every 6 hours:
Options -b controls this, see below.
> but I am wondering if it is possible to see that traffic without
> having previously stored it in a file
If you think about it: where would the information be stored ?
-b <capture ring buffer option>
Cause TShark to run in "multiple files" mode. In "multiple files"
mode, TShark will write to several capture files. When the first
capture file fills up, TShark will switch writing to the next file
and so on.
The created filenames are based on the filename given with the -w
option, the number of the file and on the creation date and time,
e.g. outfile_00001_20050604120117.pcap, out-
With the files option it's also possible to form a "ring buffer".
This will fill up new files until the number of files specified, at
which point TShark will discard the data in the first file and
start writing to that file and so on. If the files option is not
set, new files filled up until one of the capture stop conditions
match (or until the disk if full).
The criterion is of the form key:value, where key is one of:
duration:value switch to the next file after value seconds have
elapsed, even if the current file is not completely filled up.
filesize:value switch to the next file after it reaches a size of
value kilobytes (where a kilobyte is 1024 bytes).
files:value begin again with the first file after value number of
files were written (form a ring buffer).
More information about the afnog