Tethereal Ring Buffer Syntax Changes Again

It's tough to keep up with syntax changes in Tethereal. Only a few months ago I posted syntax to use Tethereal in ring buffer mode. I like ring buffer mode because it is a "fire and forget" solution for collection full content data. You tell Tethereal how many files, and of what size, it should collect, and then the program just keeps logging as much as you specify.

Today when trying Tethereal 0.10.13, I discovered the syntax has changed again. First, the relevant man page excerpt:

-a Specify a criterion that specifies when Tethereal is to stop writ-
ing to a capture file. The criterion is of the form test:value,
where test is one of:

duration:value Stop writing to a capture file after value seconds
have elapsed.

filesize:value Stop writing to a capture file after it reaches a
size of value kilobytes (where a kilobyte is 1024 bytes). If this
option is used together with the -b option, Ethereal will stop
writing to the current capture file and switch to the next one if
filesize is reached.

files:value Stop writing to capture files after value number of
files were written.

-b Cause Tethereal to run in "multiple files" mode. In "multiple
files" mode, Tethereal will write to several capture files. When
the first capture file fills up, Tethereal will switch writing to
the next file and so on.

The created filenames are based on the filename given with the -w
flag, the number of the file and on the creation date and time,
e.g. savefile_00001_20050604120117.pcap, save-
file_00001_20050604120523.pcap, ...

With the files option it's also possible to form a "ring buffer".
This will fill up new files until the number of files specified, at
which point Tethereal will discard the data in the first file and
start writing to that file and so on. If the files option is not
set, new files filled up until one of the capture stop conditions
match (or until the disk if full).

The criterion is of the form key:value, where key is one of:

duration:value switch to the next file after value seconds have
elapsed, even if the current file is not completely filled up.

filesize:value switch to the next file after it reaches a size of
value kilobytes (where a kilobyte is 1024 bytes).

files:value begin again with the first file after value number of
files were written (form a ring buffer).

Ok, so how do I use this? I create the following simple shell script:

#!/bin/sh

# Capture file size in KB; here is 1 GB
#FILESIZE=1000000
# Here is 100 MB
FILESIZE=100000

# Number of files to capture
FILENUMBER=5

# Interface to watch
INTERFACE=fxp0

/usr/X11R6/bin/tethereal -n -i $INTERFACE -s 1515 -q -a filesize:$FILESIZE -b files:$FILENUMBER
-w /nsm1/lpc/fullcontent.lpc

The preceding script tells Tethereal to collect five 100,000 KB files. When the fifth one reaches the 100 MB limit, Tethereal begins overwriting the first one. Check out these directory listings as time progresses. First, the initial capture file. Notice the naming convention Tethereal uses. (Note: 100,000 KB != 100 MB, but it's close enough for our purposes.)

sensor01:/nsm1/lpc# ls -alh
total 35780
drwxr-xr-x 2 root wheel 512B Nov 22 15:23 .
drwxr-xr-x 5 root wheel 512B Nov 22 15:00 ..
-rw------- 1 root wheel 35M Nov 22 15:24 fullcontent_00001_20051122152344.lpc

After a while, we have five files:
sensor01:/nsm1/lpc# ls -alh
total 483300
drwxr-xr-x 2 root wheel 512B Nov 22 15:24 .
drwxr-xr-x 5 root wheel 512B Nov 22 15:00 ..
-rw------- 1 root wheel 98M Nov 22 15:24 fullcontent_00001_20051122152344.lpc
-rw------- 1 root wheel 98M Nov 22 15:24 fullcontent_00002_20051122152407.lpc
-rw------- 1 root wheel 98M Nov 22 15:24 fullcontent_00003_20051122152419.lpc
-rw------- 1 root wheel 98M Nov 22 15:24 fullcontent_00004_20051122152430.lpc
-rw------- 1 root wheel 81M Nov 22 15:24 fullcontent_00005_20051122152441.lpc

When the fifth file is completed, the first is overwritten:

sensor01:/nsm1/lpc# ls -alh
total 409316
drwxr-xr-x 2 root wheel 512B Nov 22 15:24 .
drwxr-xr-x 5 root wheel 512B Nov 22 15:00 ..
-rw------- 1 root wheel 98M Nov 22 15:24 fullcontent_00002_20051122152407.lpc
-rw------- 1 root wheel 98M Nov 22 15:24 fullcontent_00003_20051122152419.lpc
-rw------- 1 root wheel 98M Nov 22 15:24 fullcontent_00004_20051122152430.lpc
-rw------- 1 root wheel 98M Nov 22 15:24 fullcontent_00005_20051122152441.lpc
-rw------- 1 root wheel 8.7M Nov 22 15:24 fullcontent_00006_20051122152453.lpc

This processes continues until Tethereal is killed. It is a great full content data collection system.

Comments

Anonymous said…
Just as a side note (slightly off-topic), for Windows users (which I am one, when no *nix system is available at a client's side): with the "-w" option there is no way to cleanly kill a tethereal process dumping data in a file (Sysinternal's pskill simply kills the process without the trace file closing properly, thus no data being salvaged). The only way to do a proper file output, that I have found, in conjunction with pkill, is to use windump (same site as winpcap), instead of tethereal.

Of course the various options of kill in *nix prevent all of the above from happening ...
Anonymous said…
This comment has been removed by a blog administrator.

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics