User Manual

Packet Capturing

ToMaTo can capture all packets travelling over any connection to a pcap file. This is done from the outside, meaning that your element’s will not be affected by this.

Set-Up

To set up packet capturing, open the target connection’s config window and select the Packet Capturing tab. Here, you can enable packet capturing, and select whether you wish to create a downloadable file, or view them live via network.

The captured packets are saved to a rotating set of files holding at most 50 MB of data.

You can also define a filter for packets, meaning that only respective packets are included in the resulting dump. The filter syntax are PCAP filter expressions.

Access to Download

When you set packet capturing to be downloadable, the connection’s right-click menu contains a Download Capture entry which will automatically start a download of the respective file.

Access to Live-Viewing

When you set packet capturing for live viewing, the connection’s right-click menu contains a Live capture info entry which will open a window with information about the TCP stream as well as a prepared wireshark command you can use in your terminal.

Timestamps

The timestamp in the capture files do not exactly correspond with the time of sending the packet in the virtual machine since the scheduling might introduce a delay. However the timestamp is guaranteed to be between the time of sending the packet and the time of forwarding it to the connection.

Also note that hosts (which are distributed over multiple continents) may have a clock offset to each other, which is usually below 1s.

Analysis programs

ToMaTo generates capture files in the pcap format. When downloaded from the hosts multiple capture files are packed into a tar.gz archive.

The capture files created by ToMaTo can be used by a lot different programs:

  • Wireshark - A graphical pcap explorer and analysis tool
  • tcpreplay - A Linux tool to replay pcap files