Ask Your Question
0

Wireshark Automation To Capture only LDAP & DNS Traffic

asked 2022-07-08 15:49:54 +0000

Wireshark Automation To capture only LDAP & DNS Traffic into .CAP or another other format

Greetings to all!

I am working in a new project which needs Wireshark capture automation "to collect only LDAP & DNS" traffic in .CAP file or any other Wireshark readable format.

project requirement as follows :

  1. Using scripted method (either dos, powershell etc), execute the script to capture only LDAP & DNS traffic (ip.src & ip.dst) in .cap file.

  2. Script can be executed locally or best if can be trigger from remotely - windows server.

  3. File can be saved on local DC / server or best way to save it on remote server share drive.

Requesting on this forum to share any sample Powershell scripts if its do able.

Please do share ideas how to achieve it.

Thanks a lot on Advance, Suvajit Basu

edit retag flag offensive close merge delete

Comments

Is this a "real-time" continuous capture or a script run on a capture file after the capture has been completed?

grahamb gravatar imagegrahamb ( 2022-07-08 17:07:39 +0000 )edit

Hi Grahamb,

Thanks for your query.

Script needs to start the real time traffic capture for LDAP & DNS . After 3 hours, stop the capture and save into .CAP file.'

Please let me know if there are any such scripts available on .bat or .PS1

Thanks, Suvajit Basu

Suvajit Basu gravatar imageSuvajit Basu ( 2022-07-08 17:58:03 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-07-11 05:59:30 +0000

JasMan gravatar image

updated 2022-07-11 05:59:53 +0000

I'm using Dumpcap and Windows "Schedule Tasks" to do this.

You can define the triggers in the task according your needs (e.g. run on startup and 3 hours only).

The command is the path to dumpcap.exe (e.g. C:\Program Files\Wireshark\dumpcap.exe). The argument defines the capture filter (-f), the adapter (-i), the filename and location (-w), cound and max. size of each file (-b), capture duration (-a duration:xxxx). Example:

"-i "NAME_OF_LAN_CONNECTION" -f "(host IP_OF_LDAP_SERVER or host IP_OF_DNS_SERVER) and (port 389 or 53)" -w "C:\Temp\%COMPUTERNAME%.pcap" -a duration:10800

This will capture all DNS and LDAP traffic to/from the defined hosts. The capture will run 10.800 seconds/3 hr and write the data to c:\Temp.

edit flag offensive delete link more

Comments

Greetings! JasMan,

Thank you so much for your kind help & assistance.

dumpcap.exe "-i "NAME_OF_LAN_CONNECTION" -f "(host IP_OF_LDAP_SERVER or host IP_OF_DNS_SERVER) and (port 389 or 53)" -w "C:\Temp\%COMPUTERNAME%.pcap" -a duration:10800

Let me try above commends right away and update you in few hours.

Many thanks, Suvajit Basu

Suvajit Basu gravatar imageSuvajit Basu ( 2022-07-11 07:41:02 +0000 )edit

Hi JasMan,

Greetings!

dumpcap command is working like charm . Thank you.

C:\Program Files\Wireshark>dumpcap.exe -i 6 -f "(host 30.9.122.33) and (port 389 or 53)" -w "C:\NetmonCapture\12th-July-2022.pcap" -a duration:180

When i was doing analysis for .pcap capture file, noticed , lots of TCP Acknowledge packets also getting capture. Is there any ways to eliminate it from .pcap file.

Thanks in advance, Regards, Suvajit Basu

Suvajit Basu gravatar imageSuvajit Basu ( 2022-07-12 10:35:54 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2022-07-08 15:49:54 +0000

Seen: 884 times

Last updated: Jul 08 '22