read a file .pcap

jsluoning · 01-30-2012, 04:09 AM

I have a .pcap file but it is really in large size (1G).

I just need a part of this file which is choosen by time. For example, from 12:00:00 to 12:00:10. Is this possible?

Thank you.

vikas027 · 01-30-2012, 04:17 AM

Use the below command

Code:

tcpdump -ttttnnr pcapfile.pcap | awk '/12:00:00/,/12:00:10/'

acid_kewpie · 01-30-2012, 04:17 AM

wireshark (well.. tshark) can certainly do this easily, but tcpslice is written specifically for this purpose, so check that out.

acid_kewpie · 01-30-2012, 04:18 AM

Quote:

Originally Posted by vikas027

Use the below command

Code:

tcpdump -ttttnnr pcapfile.pcap

I think the point is they don't want to have to load all the uninteresting data, not see what time the packets were. I certainly would not like the idea of loading a 1gb pcap file into wireshark.

fukawi1 · 01-30-2012, 04:24 AM

Yes using grep.

Code:

grep "12:00:0[0-9]"

jsluoning · 01-30-2012, 04:37 AM

Quote:

Originally Posted by acid_kewpie

wireshark (well.. tshark) can certainly do this easily, but tcpslice is written specifically for this purpose, so check that out.

Actually i need to use the information chosen in a new software to analyze the errors. I want to show these informations with GTK and then do the analyzation.
So maybe i can use wireshark like plug-in?

acid_kewpie · 01-30-2012, 04:45 AM

not sure what you mean by a plugin, but I would use tcpslice to hack out the interesting region of traffic to a new pcap file and then loads of 10mb or so into wireshark.

jsluoning · 01-30-2012, 05:09 AM

Quote:

Originally Posted by acid_kewpie

not sure what you mean by a plugin, but I would use tcpslice to hack out the interesting region of traffic to a new pcap file and then loads of 10mb or so into wireshark.

I am sorry i don't speak very well English and i don't know a thing about network.

So you mean i can generate a new file (10 seconds of the interesting region)with tcpslice and then juste analyze this file in my software?

acid_kewpie · 01-30-2012, 05:33 AM

yes, that *seems* to be exactly what you're after, no?

jsluoning · 01-30-2012, 07:02 AM

Quote:

Originally Posted by acid_kewpie

yes, that *seems* to be exactly what you're after, no?

Yeah, I really need a file in small size but tcpslice is a linux commande, no?

what i want to realize is:
1. choose the 1G file
2. choose the time limit in a filter(something like the red words), click OK
hh : mm : ss to hh : mm : ss OK
3. show the text

I can not use the tcpslice commande in the console to generate the file.

acid_kewpie · 01-30-2012, 07:14 AM

you're asking on a linux forum about manipulating data created by a linux command and you expect us not to mention linux based solutions? :-)

tshark comes with wireshark on windows, I expect that's probably your best bet.

see this: http://www.wireshark.org/lists/wires.../msg00187.html for an example filter for a time range.

jsluoning · 01-30-2012, 07:24 AM

Quote:

Originally Posted by acid_kewpie

you're asking on a linux forum about manipulating data created by a linux command and you expect us not to mention linux based solutions? :-)

tshark comes with wireshark on windows, I expect that's probably your best bet.

see this: http://www.wireshark.org/lists/wires.../msg00187.html for an example filter for a time range.

you are right, i find myself a little stupid. >_<
But thank you very much. It's really helpful.

Merci et je vous souhaite une très bonne journée.