Dump Cap

CLI utility to capture packets on a network

# List interfaces
dumpcap -D
 
# Capture Packets on a Interface
dumpcap -i <interface> -w <filename>

A ring buffer limits the amount of size that will be utilized by the capture
Using filesize and files we can limit the capture to a fixed number of files with a fixed maximum size
When additional space is required the initially created (1st file) is overwritten

# Capture Packets using Ring Buffer
dumpcap -i <interface> -w <filename> -b filesize:<size-kb> -b files:<count>

WireShark

Capture Filter: Only capture packets that match the filter (pre-filtering)
Display Filter: Filter packets after its captured (post-filtering)

Capture and Display filters use different syntax

# Membership Operator
tcp.port in {80,443}
 
# Filter by Subnet
ip.addr == 10.10.20.0/24
 
# Filter out Packets
not (arp or ipv6)
 
# Exact string match
frame contains "google"
# Regex string match
fame matches "google"