Articles

What are some easy to use packet capture tools?

5 min read

A common question we get other than where to find example packet captures is which packet capture tools exist that are either free, work in a command line, work directly with CloudShark, or all of the above. Here’s a list of our go-to capture tools (other than Wireshark of course) and the different scenarios in which they can be used.

tshark

tshark is the command line packet capture tool that comes with Wireshark. If you’re capturing from a system that can support Wireshark, tshark is a robust tool that allows you to specify a good number of options when determining what to capture, including capture filters, capture buffer size, and the ability to use a ring buffer to continuously create captures of a specific maximum size.

The nice thing about tshark is that it works directly with our CloudShark plug-in for Wireshark. After setting up the configuration file with your CloudShark API key, tshark will send completed captures to your CloudShark repository automatically, or, if you’d rather, when prompted in the command line.

tshark also works if you’ve installed Wireshark for Windows, but you’ll have to set up a path for it. By default it runs from \Program Files\Wireshark\tshark.exe.

About ring buffers

CloudShark is made to work with capture files directly. While it's not possible to stream live packets to CloudShark, there's an option at your disposal that is enabled by many of the tools listed here called "ring buffering". You can read how to use ring buffers with CloudShark here.

tcpdump

tcpdump is a networking tech standard when it comes to performing remote captures on a system, and the tool most often used in our examples and exercises. It’s also fairly robust, and lets you specify capture filters using expressions, and create rotating (ring) buffer using the -C (capture size) and -W (number of files) options.

It should be noted that by default tcpdump publishes the packet info to stdout. To create a pcap that can be used with CloudShark, use the -w flag and specify a filename. For example:

tcpdump -w capture.pcap

Note that while tcpdump can read pcapng files and display them, it captures in pcap format. You can read about the differences and benefits of pcapng here.

Since it’s widely used, there’s a lot of support out there. The people over at hackertarget have an in-depth overview of tcpdump with some great examples.

Comparitech also put together a great cheat sheet that lists all of the command options and what you can do with them:

Read the tcpdump cheat cheet  

dumpcap

dumpcap is the raw packet capture function used by Wireshark/tshark. Using it directly has some advantages, as it is lighter weight in terms of processing and memory. That’s one of the reasons we used in our example of building a network probe using a Raspberry Pi.

As you might expect, we’ve put together some of the above tools together with the http application cURL to build a command we call cloudshark-capture that will take a capture using dumpcap and then automatically upload it to CloudShark. You can find this and many other tools on the CloudShark GitHub repository.

ChromeOS packet capture

For those looking to troubleshoot networks or applications for users of Chromebooks, Chrome OS has its own packet capture command. With a completed capture you can use the Chrome browser to log into CloudShark and upload the capture directly.

Airtool

CloudShark has a large list of integrators, different tools and architectures that have incorporated CloudShark views or CloudShark upload into their systems. Out of that list, Airtool stands out as a stand-alone capture tool for troubleshooting Wi-Fi in Mac OS. Airtool captures can be automatically uploaded to CloudShark using your API key.

You can watch a video and read how to use Airtool here.

 airtool

Embedded capture in managed Wi-Fi

With the advent of cloud managed network solutions, particularly Wi-Fi APs, being able to capture on those managed interfaces remotely is a critical troubleshooting and monitoring tool. Both Meraki, by Cisco, and Aerohive Networks have embedded packet capture on their devices that can be initiated through a management dashboard. These two are integrated with CloudShark and automatically upload captures to your account for analysis.

Getting captures into CloudShark

Some of the tools above automatically upload to CloudShark. For those that generate pcaps locally, you have a few options. If you have access to a browser and access to the file, you can drag-and-drop or browse directly to the file to upload via the CloudShark interface.

If you have your API key, you can use an http command line tool like cURL to push the capture to CloudShark using the CloudShark upload method. For a local file it looks something like this:

curl -F file=@filename.cap

https://www.cloudshark.org/api/v1//upload

Alternatively you can use the scp command common on Linux and Mac OS systems to push files to CloudShark through one of our integrators, couchdrop.io, which is super easy!


 

Want articles like this delivered right to your inbox?

Sign up for our Newsletter

No spam, just good networking