Reading a packet capture file with Wireshark and tshark
Needle in Haystack
Wireshark doesn’t just work in real time. If you save a history of network activity in a pcap file using a tool such as tcpdump, you can filter the data with Wireshark to search for evidence.
Intrusion detection tools that use the libpcap C/ C++ library for network traffic capture (such as Snort and Tcpdump) can output packet capture information to a file for later reference. The format of this capture file is known as pcap. By capturing packet data to a file, an investigator can return later to study the history of an intrusion attempt – or to turn up other important clues about clandestine activity on the network.
Of course, the traffic history data stored in a pcap file is much too vast to study by just viewing the file manually. Security experts use specialized filtering tools to search through the file for pertinent information. One way to look for clues in a pcap file is to use the Wireshark protocol analysis tool [3] and its accompanying command-line utility tshark.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
US / Canada
UK / Australia
Direct Download
Read full article as PDF:
Price $2.95
News
-
NextCloud 14 Arrives
The new version adds two new security features for users.
-
Linus Torvalds Takes a Break, Apologizes
The creator of Linux is admitting his abusive behavior on LKML and plans to change.
-
A New Business Model for Open Source Projects
Storj offers a new program that enables open source projects to monetize from storage.
-
Linux Mint Debian Edition 3 Released
It’s Linux Mint without any Ubuntu base packages.
-
Zorin OS 12.4 Released
It’s an extremely popular distribution among Windows and macOS users.
-
Debian Celebrates Its Birthday
The great community Linux distro turns 25 years old.
-
Chromebooks Support Debian Applications
Containerized Debian environment is now available through the Chrome OS dev channel.
-
Opera Embraces Snap for Linux
Announcement may open doors for more mainstream applications to adopt Ubuntu's Snap package system.
-
Canonical Fixes Boot Failure Issues in Ubuntu
The regression that led to boot failures was introduced by a previous patch.
-
Weird Unofficial LibreOffice Version Shows Up in the Microsoft Store
Unknown developer wants you to pay $2.99 for a free tool.