Wireshark-users: Re: [Wireshark-users] Capture Filter Problem, Part II
From: "Chad Dailey" <chad@xxxxxxxxxxxxxxxxxxx>
Date: Tue, 30 Oct 2007 16:29:17 -0500
You might find dumpcap works better than tshark with your suggested solution.

Though this is a Wireshark mailing list, perhaps netcat would be useful to try.

http://www.vulnwatch.org/netcat/

Look for:

-DGAPING_SECURITY_HOLE

here:

http://www.vulnwatch.org/netcat/readme.html

Good luck!

On 10/30/07, Travis Love <travis.love@xxxxxxxx> wrote:
Okay, this is a bit trickier of a question than my last one.  I've been beating my head on this for a couple of weeks, and have almost nothing.  So here goes:

I have a reasonably complex capture filter designed to capture packets from rogue DHCP servers on our network.  However, the boss wants something that will alert the tech using the machine that the filter is running on that he's got to hunt down a rogue.  The only solution I've thought of so far is to use tshark, dumping to a cap file, and have another script running concurrently to check the file every minute or so and alert the user if the size is larger than 0.

There's got to be a better way than that, right?  Any ideas would be very much appreciated.

-Travis

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users