Reading a packet capture file with Wireshark and tshark
Needle in Haystack
Wireshark doesn’t just work in real time. If you save a history of network activity in a pcap file using a tool such as tcpdump, you can filter the data with Wireshark to search for evidence.
Intrusion detection tools that use the libpcap C/ C++ library for network traffic capture (such as Snort and Tcpdump) can output packet capture information to a file for later reference. The format of this capture file is known as pcap. By capturing packet data to a file, an investigator can return later to study the history of an intrusion attempt – or to turn up other important clues about clandestine activity on the network.
Of course, the traffic history data stored in a pcap file is much too vast to study by just viewing the file manually. Security experts use specialized filtering tools to search through the file for pertinent information. One way to look for clues in a pcap file is to use the Wireshark protocol analysis tool [3] and its accompanying command-line utility tshark.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
US / Canada
UK / Australia
Direct Download
Read full article as PDF:
Price $2.95
News
-
The PinePhone Pre-Order has Arrived
Anyone looking to finally get their hands on an early release of the PinePhone can do so as of November 15.
-
Microsoft Edge Coming to Linux
Microsoft is bringing it’s new Chromium-based Edge browser to Linux.
-
Open Invention Network Backs Gnome Project Against Patent Troll
OIN has deployed its legal team to find prior art.
-
Fedora 31 Released
The latest version of Fedora comes with new packages and libraries.
-
openSUSE OBS Can Now Build Windows WSL Images
openSUSE enables developers to build their own WSL distributions.
-
Sudo Vulnerability
A vulnerability in the sudo package gives sudo users more powers than they deserve.
-
The Art of PostgreSQL
The Art of PostgreSQL by Dimitri Fontaine is now available.
-
Red Hat Announces CentOS Stream
New distro will provide an upstream test bed for RHEL.
-
Linus Torvalds Agrees to Kernel Lockdown
The feature will let developers restrict root access to the kernel.
-
Richard Stallman Resigns from Free Software Foundation
GNU founder came under fire for comments made on an internal MIT mailing list