1
votes

Currently I have some traffic being forwarded to a machine in a data center, this machine has a PCAP script running to grab all of this traffic. After X period of time the files are compressed using 7 zip to make the files as small as possible.

The work flow at the moment involves collecting the files directly from the data center and uploading to a work machine for analysis. We have access to another machine on the network not in the data center and would like to collect the files over the network. The only problem is that the PCAP then includes this transfer in the files and as they are already compressed causes the files to balloon in size, going from sub 10 MB to 80 MB+.

It is important to collect all of the network traffic so I was hoping just to filter out transfers between these two machines rather than specifying all of the connections I need to capture.

I tried adding:

"-f not src net 10.213.121.13" "-f not host 10.213.121.13" to the script, but in both cases it complained about a syntax issue. Any ideas of how to accomplish this would be appreciated.

Script:

dumpcap -i1 -b filesize:100000 files:200 -f not src net 10.213.121.13 -w C:\WIRESHARK_LOGS\log_dumpcap

1

1 Answers

1
votes

The problem is that dumpcap requires the filter expression to be quoted, unlike TCPDump, where it may be quoted (or will require quotes if it includes a BPF filter or other shell-digested characters). So, the following should resolve your problem as you have asked it:

dumpcap -i1 -b filesize:100000 files:200 -f 'not src host 10.213.121.13' -w C:\WIRESHARK_LOGS\log_dumpcap

However, I'm assuming that you will be using TCP to transfer the file. If that's the case, you really don't want the ACK packets either, so:

dumpcap -i1 -b filesize:100000 files:200 -f 'not host 10.213.121.13' -w C:\WIRESHARK_LOGS\log_dumpcap

I would suggest, however, that you might want to refine that more. I would recommend specifying the port that is being used for the transfer so that you are not blinding yourself to all other traffic in and out of the 10.213.121.13 box.