I have been writing about network sniffing lately. back on the 22nd of last month I talked about using an alternative to Wireshark called Microsoft Network Monitor (MNM). Although I did find that tool to be easier to use, and read data than Wireshark, it simply didn't collect all of the data that I needed it to. You see, if you read that post, you will know that we have this weird intermittent issue where all traffic in or out of one particular VLAN will drop for about 2 to 5 minutes. Just enough time for connections from our production web servers to lose connection with the database on the back end. During these hiccups as I like to call them, all traffic within that VLAN still proceeds without issue.
Well we had another hiccup the night before last, and I rushed to my computer, VPN'd into the office, and remoted into the computer where I was running Microsoft Network Monitor. I saw some stuff that threw up red flags, but nothing really conclusive. I sent the packet over to my long time friend, and owner of Total Tech Resource Corp in San Diego and asked him if anything jumped out at him. He's been doing the IT thing way longer than me, so I really trust his expertise.
Anyway, he replied with this:
Nothing really jumps out except I am wondering why you have so much arp and netbios traffic and not much TCP/IP...
He was right, there seemed to be a lack of packets in the capture from MNM. I decided to run WireShark for a few hours to see if it came up with the same thing. Did it? Hells to the no! It had all sorts of stuff that MNM failed to capture. Stuff like TCP ReTransmits, and HTTP requests. Well crap! The reason I started using Microsoft network Monitor was because WireShark would crash if I ran it too long. That, and I liked the interface of it better, but that doesn't matter a hill of beans if I can't use the data.
Since I can't use WireShark or MNM to capture now, what options do I have? It turns out there is a really cool command line capture tool built in with WireShark called DumpCap that will do the long term capture from the command line. Here is how I am using it:
- Browse to C:\Program Files\Wireshark in the command prompt
- Run dumpcap -D to get a list of your network adapters. Note the number for the adapter where you want to capture traffic. For me it was adapter 1.
- Then run the following to capture 9MB files, while overwritting files after you get 100 files: dumpcap -i 1 -b files:100 -b filesize:9216 -w c:\captures\switch.cap
After running that I would get a new 9MB capture file in c:\capture every minute or two. When I opened up these captures, I had a plethora of packets to work with. Since I saved it in .cap format, I can even open it in MNM if I want, and since it's under 10MB I can copy it to CloudShark to send to my Network Admin buddies. (Look for my post about CloudShark on AskTheAdmin on December 7th). Not to mention that I can run this tool pretty much forever, and I don't have to worry about it crashing on me like with full blown WireShark. Smells like long term capturing!
Another cool thing about this is that since it's a command line tool, that means you can script your packet captures now, and can run them as a scheduled task if you want. I think having a command line packet sniffer that can be scripted is a very handy tool to have in your tool box. What do you think?
Related articles, courtesy of Zemanta: