Yes. Do something like this:
tethereal -n -a filesize:10000 -b 20 -w
/your/output/files/go/here/capture.file.name -f "host <ip1> or host
<ip2>"
So
you'll see all traffic to AND from host "ip1" and you'll see all traffice to AND
from host "ip2". Since the traffic between these two hosts is okay, you
could rule out those streams by making the capture filter
longer:
-f
"(host <ip1> or host <ip2>) and not (host <ip1> and host
<ip2>)"
Anyway, this capture would run all the time, dumping the output into 20
files (-b 20), max size each is 10MB (-a filesize:10000), and it would write
them as "capture.file.name.NNN" in the directory
"/your/output/files/go/here". :-) Modify as
appropriate.
Now,
when you go to *read* the things, you can do one of two
things.
1) Stop the capture. Tethereal will rename all of the files
to a timestamp-based name. Use mergecap to make them one big capture file
(if you want) and load it up.
2) Don't bother stopping the capture. Just copy the files out
of the ring buffer and merge them, or use mergecap on them where they are (since
the originals are not modified), and load it up. You'll get errors about
the last packet in each file, since it'll probably be a partial
packet.
Do NOT
MOVE the files out of an active ring buffer. Ethereal keeps the files
open. If you move them, it'll really [EMAIL PROTECTED]& things up. Copying
them is fine. Moving them is bad.
Note
that I stuck the "-n" on the original capture to disable name resolution.
Don't worry. The name resolution stuff doesn't go in the capture files
anyway, so it's a waste to have tethereal looking up names at capture
time. Just have name lookups enabled when you go to read the files later
and you'll still see all of the names.
Hope
that helps!
--J
-----Original Message-----
From: Michel Vanden Bossche [mailto:[EMAIL PROTECTED]
Sent: Wednesday, July 30, 2003 10:25 AM
To: [EMAIL PROTECTED]
Subject: [Ethereal-users] Monitoring with EtherealIs it possible to filter only a few IP ranges (partners accessing the Intranet) with a name resolution (partner name)?This would allow to monitor if authorized partner access only their authorized resources on the Intranet.Michel
