CloudShark Blog

Training, webinars, and resources for network analysis

May 29, 2018

What are some easy to use packet capture tools?

Written By
CloudShark
Published
May 29, 2018
Share

Posted to:
Articles Capture Tools
Tags
Wireshark Windows mac-osx Chrome OS

A common question we get other than where to find example packet captures is which packet capture tools exist that are either free, work in a command line, work directly with CloudShark, or all of the above. Here’s a list of our go-to capture tools (other than Wireshark of course) and the different scenarios in which they can be used.

tshark

About ring buffers

CloudShark is made to work with capture files directly. While it's not possible to stream live packets to CloudShark, there's an option at your disposal that is enabled by many of the tools listed here called "ring buffering". You can read how to use ring buffers with CloudShark here.

About ring buffers

CloudShark is made to work with capture files directly. While it's not possible to stream live packets to CloudShark, there's an option at your disposal that is enabled by many of the tools listed here called "ring buffering". You can read how to use ring buffers with CloudShark here.

tshark is the command line packet capture tool that comes with Wireshark. If you’re capturing from a system that can support Wireshark, tshark is a robust tool that allows you to specify a good number of options when determining what to capture, including capture filters, capture buffer size, and the ability to use a ring buffer to continuously create captures of a specific maximum size.

The nice thing about tshark is that it works directly with our CloudShark plug-in for Wireshark. After setting up the configuration file with your CloudShark API key, tshark will send completed captures to your CloudShark repository automatically, or, if you’d rather, when prompted in the command line.

tshark also works if you’ve installed Wireshark for Windows, but you’ll have to set up a path for it. By default it runs from \Program Files\Wireshark\tshark.exe.

tcpdump

tcpdump is a networking tech standard when it comes to performing remote captures on a system, and the tool most often used in our examples and exercises. It’s also fairly robust, and lets you specify capture filters using expressions, and create rotating (ring) buffer using the -C (capture size) and -W (number of files) options.

It should be noted that by default tcpdump publishes the packet info to stdout. To create a pcap that can be used with CloudShark, use the -w flag and specify a filename. For example:

tcpdump -w capture.pcap

Note that while tcpdump can read pcapng files and display them, it captures in pcap format. You can read about the differences and benefits of pcapng here.

Since it’s widely used, there’s a lot of support out there. The people over at hackertarget have an in-depth overview of tcpdump with some great examples.

dumpcap

dumpcap is the raw packet capture function used by Wireshark/tshark. Using it directly has some advantages, as it is lighter weight in terms of processing and memory. That’s one of the reasons we used in our example of building a network probe using a Raspberry Pi.

As you might expect, we’ve put together some of the above tools together with the http application cURL to build a command we call cloudshark-capture that will take a capture using dumpcap and then automatically upload it to CloudShark. You can find this and many other tools on the CloudShark GitHub repository.

ChromeOS packet capture

For those looking to troubleshoot networks or applications for users of Chromebooks, Chrome OS has its own packet capture command. With a completed capture you can use the Chrome browser to log into CloudShark and upload the capture directly.

Airtool

CloudShark has a large list of integrators, different tools and architectures that have incorporated CloudShark views or CloudShark upload into their systems. Out of that list, Airtool stands out as a stand-alone capture tool for troubleshooting Wi-Fi in Mac OS. Airtool captures can be automatically uploaded to CloudShark using your API key.

You can watch a video and read how to use Airtool here.

Mac OS Wireless Diagnostic

Similar in functionality to Airtool is the Mac OS Wireless Diagnostics tool, which has a built in “sniffing” feature that lets you select a channel and band to capture at the raw 802.11 layer. If you’re do ing Wi-Fi analysis it can be handy, though the tool is buried a bit in the Window menu:

Which brings up this dialogue:

Embedded capture in managed Wi-Fi

With the advent of cloud managed network solutions, particularly Wi-Fi APs, being able to capture on those managed interfaces remotely is a critical troubleshooting and monitoring tool. Both Meraki, by Cisco, and Aerohive Networks have embedded packet capture on their devices that can be initiated through a management dashboard. These two are integrated with CloudShark and automatically upload captures to your account for analysis.

Getting captures into CloudShark

Some of the tools above automatically upload to CloudShark. For those that generate pcaps locally, you have a few options. If you have access to a browser and access to the file, you can drag-and-drop or browse directly to the file to upload via the CloudShark interface.

If you have your API key, you can use an http command line tool like cURL to push the capture to CloudShark using the CloudShark upload method. For a local file it looks something like this:

curl -F file=@filename.cap https://www.cloudshark.org/api/v1/<api-key>/upload

Alternatively you can use the scp command common on Linux and Mac OS systems to push files to CloudShark through one of our integrators, couchdrop.io, which is super easy!

About Us

CloudShark is made by QA Cafe, a technology company based in Portsmouth, NH. Our passion for packet captures has grown out of our other product CDRouter.

Get in touch via our Contact us page or by following us on your favorite service: