Reading a packet capture file with Wireshark and tshark

Needle in Haystack

Article from Issue 143/2012

Author(s): David J. Dodd

Wireshark doesn’t just work in real time. If you save a history of network activity in a pcap file using a tool such as tcpdump, you can filter the data with Wireshark to search for evidence.

Intrusion detection tools that use the libpcap C/ C++ library for network traffic capture (such as Snort and Tcpdump) can output packet capture information to a file for later reference. The format of this capture file is known as pcap. By capturing packet data to a file, an investigator can return later to study the history of an intrusion attempt – or to turn up other important clues about clandestine activity on the network.

Of course, the traffic history data stored in a pcap file is much too vast to study by just viewing the file manually. Security experts use specialized filtering tools to search through the file for pertinent information. One way to look for clues in a pcap file is to use the Wireshark protocol analysis tool [3] and its accompanying command-line utility tshark.

Buy this article as PDF

Express-Checkout as PDF

Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES

SUBSCRIPTIONS

Print Subs

Digisubs

TABLET & SMARTPHONE APPS

US / Canada

UK / Australia

Related content

Tshark

The simple and practical Tshark packet analyzer gives precise information about the data streams on the network.

more »
Security Lessons

Building a network flight recorder with Wireshark.

more »
Wireshark

If you know your way around network protocols, you can get to the source of a problem quickly with Wireshark.

more »
Wireshark 1.6 Released

The Wireshark free network sniffer rolls out 1.6 release with advanced features.

more »
Wireshark's New 1.2

Wireshark 1.2 introduces a few "new and exciting" features for its network protocol analyzer software.

more »

comments powered by Disqus

Visit Our Shop

Trial Subscription

Digital Subscription

Subscribe

Direct Download

Read full article as PDF:

Price $2.95

News

Nextcloud Announces Raspberry Pi-Powered Home Cloud Box

Innovative system adds a hard drive and Ubuntu Core to the RPi for an IoT hub.
Linus Torvalds Confirms the Date of the First Linux Release

Linux is two weeks younger than we thought!
End of OpenOffice?

OpenOffice

The Apache Software Foundation considers retiring OpenOffice
Adobe Gives New Life to NPAPI Plugin for Linux

Adobe Flash , Flash Player

Adobe won’t kill the plugin in 2017
LinuxCon North America Convenes in Toronto, Canada

Linux Foundation's big event celebrates the 25th anniversary of Linux
Linux Turns 25

Linux has evolved from “won’t be a professional” project to one of the most professional software projects in the history of computers.
Mirantis Joins Hands with SUSE To Offer RHEL Support; Red Hat Not Happy

Competitors get in the game with RHEL without Red Hat
Linux on Windows 10 Poses a Security Risk

Security researchers have already notified Microsoft; some fixes are available
Mirantis to Refactor OpenStack Fuel for Kubernetes

The company is collaborating with Google and Intel to use Kubernetes as an engine for Fuel
Canonical Joins Document Foundation Advisory Board

The upcoming release of LibreOffice will be available as a snap package