We have completed the upgrade of IEOC! All posts, comments and user profiles have been migrated. For security reasons, we have reset all passwords. To set a new password please Click Here. Further updates soon to follow.

How to generate usage and protocol graphs in wireshark

Say I captured the traffic using SPAN session for couple of hours. Using these captures I have following requirement:

 

> Merging Captures

> Generate Graphs in Wireshark showing IPs of Source and Destination, Showing Protocol Details (like http) & Data Transferred between those in Mbps

 

Can someone suggest...

Comments

  • For long running captures I would use Wireshark's command
    line tools. It is just that the GUI isn't very responsive when
    working with a lot of data and you don't want to crash while
    capture traffic :D

    "Dumpcap" is included in Wireshark and it has only enough
    functionality to capture packets. It allows you to configure
    a ring buffer and certain conditions on when to stop capturing packets.

    Example: dumpcap -i eth0 -b filesize:50000 -a duration:10800 -P -w mypktcapture.pcap

    - Capture packets on eth0
    -b filesize:50000 -> Start a new file every 50 MB
    -a duration:10800 -> Stop capture after 10800 seconds (3 hours)
    -P use old pcap format instead of pcap-ng (just in case we want to use
    the data in other non-Wireshark tools)
    -w Filename prefix

    When the packet capture is finished you can put the individual
    files back together into one big file with "mergecap" if you want.

    mergecap -w completecapture.pcap mypktcapture-0001.pcap mypktcapture-0002.pcap

    Now you could analye the traffic in Wireshark by using Statistics->Conversations to
    figure out who is talking to whom and how much pkts/bytes they did send.

    There are also a lot of graphing options in Statistics/IO-Graphs, but it all depends
    on what you want to find out.

    Afterwards you could also extract src and dst ip addresses from the pcap via
    tshark and convert it into a csv file.
    Then you could use Afterglow to create link graphs to visualize who is talking to whom.

    http://afterglow.sourceforge.net/index.html
    http://www.slideshare.net/zrlram/after-glow

    Another possibility would be to also use tshark or something else to extract the data,
    convert the header fields you are intersted in into JSON data and send it to Logstash.
    Then you can use its Web interface to generate graphs from the data.

    Here are some examples on what you could do with the Logstash/Kibana web interface.

    https://github.com/NETWAYS/sflow
    https://blog.netways.de/2014/03/25/sflow-traffic-mit-elasticsearch/
    (Just look at the pictures, text is in German :D)

    Here they are just sending data into Logstash from an sFlow device. There are
    a lot of traffic monitoring tools out there, but these are some open source options
    if you want to put something together on your own.

    I'm sorry for all the buzzwords, but it seems like Logstash/Kibana/Ealsticsearch/JSON are
    what the cool kids are using nowadays :D

    Best regards,

    Jochen


    Sorry for the weird formatting. The forum software kept messing with my text formatting
    and made the text unreadable :D
Sign In or Register to comment.