I needed to capture some packets on a server to import into Wireshark on a Windows XP computer but hadn’t done this in awhile so I needed to refresh on how to do this. I ended up using dumpcap to capture the data, then obtain the dump file on the windows computer, and then imported into Wireshark. One thing I had a moment of trouble with was the dumpcap filter syntax. Below are some examples of how to use the filter that the dumpcap -f switch uses.
Basic dumpcap Capture[All Data]:
- dumpcap -w /path/to/file
Capture Only FTP Traffic with dumpcap:
- dumpcap -f "port ftp" -w /path/to/file
Capture Only One Hosts Traffic with dumpcap:
- dumpcap -f "host server.example.com -w /path/to/file
or you can use…
- dumpcap -f "host 192.168.0.100" -w /path/to/file
Filter on Port and Host Using dumpcap:
- dumpcap -f "tcp port ftp and host 192.168.0.100" -w /path/to/file
The above will only capture ftp traffic to or from 192.168.0.100. You can also exclude data using “not” in your filter statement. Other options include “or”, “src”, “tcp”, “udp”, etc. If you need further details regarding dumpcap filter syntax leave a comment below and we will reply with specific data.
If you use the incorrect syntax you will receive an error similar to the below when using dumpcap.
Error:
- Invalid capture filter: "dest 192.168.4.32"!
- That string isn't a valid capture filter (syntax error).
- See the User's Guide for a description of the capture filter syntax.
Notice above the error was caused by “dest” instead of “dst”.
Once you have the data simple scp(secure copy) it to your Windows computer and open it using Wireshark. This will provide you an in depth view of the traffic on the server from your Windows computer.