Problem
If you leave a Wireshark capture running, it can quickly fill up a huge portion of your disk space. Performing a rolling capture will allow you to manage how much disk space Wireshark uses, by writing to a series of capture files of a designated size and then deleting every Xth capture file.
tl;dr (CentOS)
Install Wireshark and Screen
yum install wireshark screen -y
Run your Wireshark capture in the background using Screen. The capture file will be located in your current directory and named mycapture*. This example will create ten 100MB files and delete every tenth capture
screen -S wireshark -d -m tshark -i eth0 -w mycapture -b filesize:100000 -b files:10
Solution
Wireshark is an invaluable resource for any network admin. It can help you track down pesky networking problems and confirm your suspicions regarding mischievous behaviour taking place on your network. This particular example is great for snuffing out botnets and helping you determine the nature of a DDoS attack, as you never know when the attack might occur and a rolling capture will allow you to leave Wireshark running indefinitely.
First, let's install Screen and Wireshark
yum install wireshark screen -y
In this example, we will use screen to run Wireshark in the background. Wireshark will capture ten 100MB files and delete every tenth file. The capture files will be named mycapture followed by a timestamp indicating when the capture file was created.
screen -S wireshark -d -m tshark -i eth0 -w mycapture -b filesize:100000 -b files:10
If you would like the capture to continue after the server has been rebooted, you can add the above command to /etc/rc.local
echo "screen -S wireshark -d -m tshark -i eth0 -w mycapture -b filesize:100000 -b files:10" >> /etc/rc.local
If you would like to analyse the capture file using a graphical interface, you will need to download the capture file to your desktop. You can copy the file from the server via port 22 using any SFTP client like Filezilla.
Once the file has been downloaded, you should be able to open it using the graphical version of Wireshark.
If you would rather analyse the capture file using the commandline, here are some examples to get you started.
Use the -R parameter to specify your filters
tshark -R “ip.addr == 192.168.1.10″ -r /tmp/capture.cap
Here are some Wireshark filtersExclude an IP
!(ip.addr == 192.168.1.10)
Filter by source IP
ip.src == 192.168.1.10
Filter by destination IP
ip.dst == 192.168.1.1
Exclude ARP entries
not arp
Filter by source port
tcp.port == 80 || udp.port == 80
Filter by port and IP
ip.addr == 192.168.1.10 && tcp.port == 80
Filter by MAC address
eth.addr == 00:14:D1:3E:1C:CA