captureWireshark

crazy-max edited this page Jun 7, 2016 · 3 revisions

Capture with Wireshark

About

Wireshark is the well known network protocol analyzer.

Capture

Via GUI

To capture / log traffic with this application, you will have to select the correct adapter and enter a filter :

Filter: not arp and port not 53 and not icmp and not icmp6 and not broadcast
Adapter: Ethernet

The click on your adapter to start the capture. When the capture is done, do not forget to save your capture as pcapng format.

Via command line

@ECHO OFF

"C:\Program Files\Wireshark\dumpcap.exe" -i 1 -f "not arp and port not 53 and not icmp and not icmp6 and not broadcast" -w "C:\tmp\cap.pcapng"

Where -i 1 is the number of your adapter (here Ethernet)

Parsing

The script scripts/wireshark/wireshark.bat can be used to parse logs and generate CSV files. Wireshark 2 is required for this script.
Before executing the script, do not forget to edit wireshark.conf :

{
    "tsharkExe": "C:/Program Files/Wireshark/tshark.exe",
    "pcapngPath": "C:/Users/<username>/Documents/Wireshark/cap.pcapng",
    "exclude": {
        "ips": [
            "0.0.0.0",
            "127.0.0.1",
            "10.0.0.1",
            "192.168.0.0-192.168.0.255"
        ],
        "hosts": [
            "MyComputer",
            "localhost",
            "*.local"
        ]
    }
}
  • tsharkExe: Path to tshark.exe.
  • pcapngPath: Path to your capture file pcapng.
  • exclude ips: exclude IPs addresses from parsing. Ranges are allowed and in most cases you have to exclude your local network.
  • exclude hosts: exclude hosts / domains from parsing. Wildcard are allowed and in most cases you have to exclude your local network and your ISP domain.

Then execute the script :

CSV will be generated in logs/ folder :

  • wireshark-hosts-count.csv