[afnog] tcpdump

Marie-Paule UWASE puwase at gmail.com
Wed Jul 2 08:44:46 UTC 2008 

thanks Phil

i will definitely use tshark

MP

On Wed, Jul 2, 2008 at 10:06 AM, Phil Regnauld <regnauld at x0.dk> wrote:
> Marie-Paule UWASE (puwase) writes:
>> Hello
>>
>> is it possible, on a Linux box, to see what traffic traversed an
>> interface at a certain time in the past?
>
>        Only if you've captured the data.
>
>> I know tcpdump can do that by using the -w option to store it in a
>> file and display it later
>
>        use tshark (part of wireshark, formerly known as ethereal)
>        with circular buffers instead, so it logs for example
>        10 files of 10 GB each, or 1 file every 6 hours:
>
>        Options -b controls this, see below.
>
>> but I am wondering if it is possible to see that traffic without
>> having previously stored it in a file
>
>        If you think about it: where would the information be stored ?
>        Unfortunately no...
>
>
>       -b  <capture ring buffer option>
>           Cause TShark to run in "multiple files" mode.  In "multiple files"
>           mode, TShark will write to several capture files. When the first
>           capture file fills up, TShark will switch writing to the next file
>           and so on.
>
>           The created filenames are based on the filename given with the -w
>           option, the number of the file and on the creation date and time,
>           e.g. outfile_00001_20050604120117.pcap, out-
>           file_00001_20050604120523.pcap, ...
>
>           With the files option it's also possible to form a "ring buffer".
>           This will fill up new files until the number of files specified, at
>           which point TShark will discard the data in the first file and
>           start writing to that file and so on. If the files option is not
>           set, new files filled up until one of the capture stop conditions
>           match (or until the disk if full).
>
>           The criterion is of the form key:value, where key is one of:
>
>           duration:value switch to the next file after value seconds have
>           elapsed, even if the current file is not completely filled up.
>
>           filesize:value switch to the next file after it reaches a size of
>           value kilobytes (where a kilobyte is 1024 bytes).
>
>           files:value begin again with the first file after value number of
>           files were written (form a ring buffer).
>
>



-- 
Marie-Paule UWASE
National University of Rwanda
ICT Center
Tel(mob): +250-08754700
Tel(off): +250-08183561
Fax: +250-530121

More information about the afnog mailing list