A common question we get other than where to find example packet captures is which packet capture tools exist that are either free, work in a command line, work directly with CloudShark, or all of the above. Here’s a list of our go-to capture tools (other than Wireshark of course) and the different scenarios in which they can be used.
About ring buffers
CloudShark is made to work with capture files directly. While it's not possible to stream live packets to CloudShark, there's an option at your disposal that is enabled by many of the tools listed here called "ring buffering". You can read how to use ring buffers with CloudShark here.
tshark is the command line packet capture tool that comes with Wireshark. If you’re capturing from a system that can support Wireshark, tshark is a robust tool that allows you to specify a good number of options when determining what to capture, including capture filters, capture buffer size, and the ability to use a ring buffer to continuously create captures of a specific maximum size.
The nice thing about tshark is that it works directly with our CloudShark plug-in for Wireshark. After setting up the configuration file with your CloudShark API key, tshark will send completed captures to your CloudShark repository automatically, or, if you’d rather, when prompted in the command line.
tshark also works if you’ve installed Wireshark for Windows, but you’ll have to
set up a path for it. By default it runs from
tcpdump is a networking tech standard when it comes
to performing remote captures on a system, and the tool most often used in our
examples and exercises. It’s also fairly robust,
and lets you specify capture filters using expressions, and create rotating
(ring) buffer using the
-C (capture size) and
-W (number of files) options.
It should be noted that by default tcpdump publishes the packet info to stdout.
To create a pcap that can be used with CloudShark, use the
-w flag and
specify a filename. For example:
tcpdump -w capture.pcap
Note that while tcpdump can read pcapng files and display them, it captures in pcap format. You can read about the differences and benefits of pcapng here.
Since it’s widely used, there’s a lot of support out there. The people over at hackertarget have an in-depth overview of tcpdump with some great examples.
dumpcap is the raw packet capture function used by Wireshark/tshark. Using it directly has some advantages, as it is lighter weight in terms of processing and memory. That’s one of the reasons we used in our example of building a network probe using a Raspberry Pi.
As you might expect, we’ve put together some of the above tools together with
the http application cURL to build a command we call
cloudshark-capture that will take a
capture using dumpcap and then automatically upload it to CloudShark. You can find this and
many other tools on the CloudShark GitHub repository.
ChromeOS packet capture
For those looking to troubleshoot networks or applications for users of Chromebooks, Chrome OS has its own packet capture command. With a completed capture you can use the Chrome browser to log into CloudShark and upload the capture directly.
CloudShark has a large list of integrators, different tools and architectures that have incorporated CloudShark views or CloudShark upload into their systems. Out of that list, Airtool stands out as a stand-alone capture tool for troubleshooting Wi-Fi in Mac OS. Airtool captures can be automatically uploaded to CloudShark using your API key.
Mac OS Wireless Diagnostic
Similar in functionality to Airtool is the Mac OS Wireless Diagnostics tool, which has a built in “sniffing” feature that lets you select a channel and band to capture at the raw 802.11 layer. If you’re do ing Wi-Fi analysis it can be handy, though the tool is buried a bit in the Window menu:
Which brings up this dialogue:
Embedded capture in managed Wi-Fi
With the advent of cloud managed network solutions, particularly Wi-Fi APs, being able to capture on those managed interfaces remotely is a critical troubleshooting and monitoring tool. Both Meraki, by Cisco, and Aerohive Networks have embedded packet capture on their devices that can be initiated through a management dashboard. These two are integrated with CloudShark and automatically upload captures to your account for analysis.
Getting captures into CloudShark
Some of the tools above automatically upload to CloudShark. For those that generate pcaps locally, you have a few options. If you have access to a browser and access to the file, you can drag-and-drop or browse directly to the file to upload via the CloudShark interface.
curl -F email@example.com https://www.cloudshark.org/api/v1/<api-key>/upload
Alternatively you can use the
scp command common on Linux and Mac OS systems
to push files to CloudShark through one of our integrators, couchdrop.io,
which is super easy!