LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 05-23-2014, 01:59 AM   #1
angel115
Member
 
Registered: Jul 2005
Location: France / Ireland
Distribution: Debian mainly, and Ubuntu
Posts: 542

Rep: Reputation: 79
How to extract traffic from a massive packet capture


Hi there,

Does any one know how could I extract traffic from/to a specific IP address from a massive packet capture (40Go)

I've tried with tshark but it doesn't work.
Code:
$ tshark -R "ip.addr == 10.0.100.155" -r trace-source.pcap -w extracted.pcap
 
Old 05-23-2014, 06:04 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by angel115 View Post
I've tried with tshark but it doesn't work.
I'm sorry to say "doesn't work" is not a proper technical analysis of your problem.

Couple of things wrt shaving off processing time:
- see http://wiki.wireshark.org/Performance wrt HW,
- "-R" wants "-2" as well,
- see "-F pcap" vs "-F pcapng",
- use a fine-tuned profile.

Here's my 'grep -v '#' ~/.wireshark/profiles/Dumb/preferences|grep .':
Code:
gui.hex_dump_highlight_style: BOLD
gui.fileopen.style: SPECIFIED
gui.recent_display_filter_entries.max: 100
gui.fileopen.dir: /tmp/
gui.ask_unsaved: FALSE
gui.find_wrap: FALSE
gui.geometry.save.position: FALSE
gui.geometry.save.size: FALSE
gui.geometry.save.maximized: FALSE
gui.marked_frame.bg: 000000
gui.column.hidden: %m,%t,%p,%us,%ud,%uS,%uD,%L
gui.column.format: 
        "No.", "%m",
        "Time", "%t",
        "Protocol", "%p",
        "SA", "%us",
        "DA", "%ud",
        "SP", "%uS",
        "DP", "%uD",
        "PL", "%L"
gui.layout_type: 5
gui.layout_content_1: NONE
gui.layout_content_2: NONE
gui.layout_content_3: NONE
capture.device: /dev/null
capture.prom_mode: FALSE
capture.pcap_ng: FALSE
capture.real_time_update: FALSE
capture.auto_scroll: FALSE
capture.show_info: TRUE
nameres.mac_name: FALSE
nameres.transport_name: FALSE
nameres.use_external_name_resolver: FALSE
nameres.concurrent_dns: FALSE
nameres.name_resolve_concurrency: 0
print.destination: File
protocols.display_hidden_proto_items: TRUE
eth.check_fcs: FALSE
tcp.summary_in_tree: FALSE
tcp.analyze_sequence_numbers: FALSE
tcp.relative_sequence_numbers: FALSE
tcp.track_bytes_in_flight: FALSE
tcp.dissect_experimental_options_with_magic: FALSE
udp.summary_in_tree: FALSE
though decide for yourself if you need any dissector specifics enabled, as in YMMV(VM).
 
Old 05-23-2014, 07:16 AM   #3
angel115
Member
 
Registered: Jul 2005
Location: France / Ireland
Distribution: Debian mainly, and Ubuntu
Posts: 542

Original Poster
Rep: Reputation: 79
Well, ok you totaly right, I poorly explain my issue.

When I type the command, I get some result. But it's not the expected one as I can't open the generated file in wireshark or netwitness.

What I need is extract all the traffic from/to 10.0.100.155 and save it in another pcap file which can be open in wireshark and netwitness. (as netwitness doesn't support .pcapng I used .pcap format)

PS: Performances are not the issue here, even is it take several hours to export, that's fine for me.

Thank you for your advices,
Angel.
 
Old 05-23-2014, 07:36 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by angel115 View Post
Well, ok you totaly right, I poorly explain my issue.
Twice now ;-p


Quote:
Originally Posted by angel115 View Post
(..) I can't open the generated file in wireshark (..)
- What does "can't open" exactly mean here? Get any errors?
- What's your exact command line (if you modified anything after my post)?
- What does 'capinfos' say about your pcap file?
- Does 'tcpdump -n -nn -N -r /path/to/file.pcap' read its contents OK?
 
Old 05-23-2014, 08:52 AM   #5
angel115
Member
 
Registered: Jul 2005
Location: France / Ireland
Distribution: Debian mainly, and Ubuntu
Posts: 542

Original Poster
Rep: Reputation: 79
Ok my mistake. You find my mistake.

my command was ok.

The probleme is that way i generate my 40G packet file.
Originally I got several 300m packets capture that I merge to get a 40G packet file

When I run my command on a single 300m packet capture file it works fine, after merging them again it works fine.

Thank you for your help.
Angel.
 
  


Reply

Tags
speed up pcap process, tshark, wireshark, wireshark profile


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
A packet filter using libipq which uses ether type field to capture the packet can26_manish Programming 2 10-16-2007 05:35 AM
how do i read the data in the packet that i have captured after packet capture? gajaykrishnan Programming 23 04-19-2006 05:09 AM
Massive UPD traffic from one host ? ivanatora Linux - Networking 14 05-19-2005 01:02 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 10:10 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration