Reading a packet capture file with Wireshark and tshark

Needle in Haystack

Article from Issue 143/2012

Author(s): David J. Dodd

Wireshark doesn’t just work in real time. If you save a history of network activity in a pcap file using a tool such as tcpdump, you can filter the data with Wireshark to search for evidence.

Intrusion detection tools that use the libpcap C/ C++ library for network traffic capture (such as Snort and Tcpdump) can output packet capture information to a file for later reference. The format of this capture file is known as pcap. By capturing packet data to a file, an investigator can return later to study the history of an intrusion attempt – or to turn up other important clues about clandestine activity on the network.

Of course, the traffic history data stored in a pcap file is much too vast to study by just viewing the file manually. Security experts use specialized filtering tools to search through the file for pertinent information. One way to look for clues in a pcap file is to use the Wireshark protocol analysis tool [3] and its accompanying command-line utility tshark.

Buy this article as PDF

Express-Checkout as PDF

Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES

SUBSCRIPTIONS

Print Subs

Digisubs

TABLET & SMARTPHONE APPS

US / Canada

UK / Australia

Related content

Tshark

The simple and practical Tshark packet analyzer gives precise information about the data streams on the network.

more »
Security Lessons

Building a network flight recorder with Wireshark.

more »
Core Technologies

Learn what's going on in your network, using Linux and its arsenal of packet capture tools.

more »
Wireshark

If you know your way around network protocols, you can get to the source of a problem quickly with Wireshark.

more »
Wireshark 1.6 Released

The Wireshark free network sniffer rolls out 1.6 release with advanced features.

more »

comments powered by Disqus

Visit Our Shop

Trial Subscription

Digital Subscription

Subscribe

Direct Download

Read full article as PDF:

Price $2.95

DevOps

Reinvent your network with DevOps tools and techniques:

Opportunities and Risks: Containers for DevOps
Automated Builds Using CentOS 7 and Kickstart
Elasticsearch, Logstash, and Kibana – The ELK stack
Are you ready for DevOps? Try your luck with the beta version of Linux Professional Institute's new DevOps exam.

News

Linus Torvalds Invites Attackers to Join the Kernel Community

He wants attackers to join the community instead of attacking the code.
Oracle Donating Java EE to the Eclipse Foundation

Oracle is recommending a new name for the Java Enterprise Edition platform.
Reddit Closing Doors to Open Source

The peanut gallery of the Internet is closing its open source repository.
Largest Open Source Summit to Date Around the Corner

LinuxCon is now Open Source Summit.
Gnome is Celebrating it’s 20th Birthday

Gnome

More than 33 releases since the first release of Gnome.
SQL Server Comes to RHEL; OpenShift Comes to Azure

Microsoft and Red Hat expand their partnership.
LibreOffice 5.4 Released

Comes with improved support for Microsoft Office file formats.
Red Hat to Drop Support for Btrfs

The company is building their own storage solution called Stratis.
Reinvent your network with DevOps tools and techniques:

Opportunities and Risks: Containers for DevOps
Automated Builds Using CentOS 7 and Kickstart
Elasticsearch, Logstash, and Kibana – The ELK stack
Are you ready for DevOps? Try your luck with the beta version of Linux Professional Institute's new DevOps exam.
Kolab Now Integrates Collabora Online

Kolab Now subscribers now have access to Collabora Online.