26

I am unsure what the following networking tools do. They all seem to do a similar thing.

First some background. I am familiar with cisco IOS. I am doing some linux networking experimentation with virtual machines so I am trying to create a small virtual network. I started playing with virtual interfaces (tun/tap, loop br etc) and I'd like to be able to examine the traffic going through them for debug purposes.

I'm a bit unsure of what tool to use. I know of the following:

  1. tshark (wireshark)
  2. dumpcap
  3. tcpdump
  4. ettercap

I think tshark/wireshark uses dumpcap underneath. ettercap seems to be a man-in-the-middle attack tool. Which tool (others not listed included) would you use to debug an interface?

Ron Maupin
  • 98,218
  • 26
  • 115
  • 191
s5s
  • 363
  • 1
  • 3
  • 6

2 Answers2

30

  • wireshark - powerfull sniffer which can decode lots of protocols, lots of filters.

  • tshark - command line version of wireshark

  • dumpcap (part of wireshark) - can only capture traffic and can be used by wireshark / tshark

  • tcpdump - limited protocol decoding but available on most *NIX platforms

  • ettercap - used for injecting traffic not sniffing

All tools use libpcap (on windows winpcap) for sniffing. Wireshark/tshark /dumpcap can use tcpdump filter syntax as capture filter.

As tcpdump is available on most *NIX system I usually use tcpdump. Depending on the problem I sometimes use tcpdump to capture traffic and write it to a file, and then later use wireshark to analyze it. If available, I use tshark but if the problem gets more complicated I still like to write the data to a file and then use Wireshark for analysis.

tshepang
  • 109
  • 4
2

What do you mean by "debug an interface"?

Wireshark & Co. will not help you troubleshoot an Interface problem, but will help you troubleshoot connection/traffic/protocol/payload problem.

If you want to troubleshoot that, the best way is to have a PC not involved in the traffic you want to troubleshoot connected to the same Cisco switch and span the port you want to capture toward that PC/laptop (Note that very highly utilized link might get you packet drops on laptop/pc with low-end cards if Gig-Ethernet is used)

ex: (taken from 3750 running 12.2.x)

monitor session 1 source interface Gi1/0/10 both
monitor session 1 destination interface Gi1/0/11 encapsulation replicate

There are many other options, everything is in the documentation for your platform & IOS version

Note that some platform (those running IOS-XE, at least some 6509 and maybe others) have Integrated sniffers (actually a version of Wireshark). Actual capability varies from version to version, but I was able to capture traffic on an 8mb circular buffer and import it without problems into a full fledged Wireshark)

Remi Letourneau
  • 2,174
  • 12
  • 13