While I have been using Wireshark for many years (since back when it was still called ethereal) I only just discovered tshark which is the command line version. It’s a more modern replacement for tcpdump which has some very nice capabilities that make it worth learning for terminal based packet analysis, as well as a minimalist version called dumpcap which can be used for packet capture only.

In my case I want to capture traffic on a fairly busy gigabit interface in order to inspect a brief event that only happens randomly once every couple of days. I do have a separate SMS alarm that triggers when the event happens thanks to OpenNMS, but by the time I have received the alarm, logged into my packet capture machine and kicked off tcpdump it’s usually too late to capture anything useful. This is where the following usage of dumpcap’s inbuilt ring buffer mode comes in handy:

    dumpcap -n -a filesize:102400 -b files:4500 -w /tmp/capture/problem.pcap

This command when run in the background using “screen” will continuously capture data from the network, storing it in 4500 automatically rotated, time stamped files of 100MB each. This means that I always have the last 450GB of network traffic available to analyse without ever filling up the 500GB disk in my capture machine which should allow me to solve the problem next time it occurs!