0

I don't have any base knowledge about tshark, and it is hard to find any tutorial to help me with this.

So now I have a pcap file which consists a lot of network flows; a time range; an ip addr; a tcp port number; the number of packets sent by the ip addr OR the number of packets received by the ip addr.

What I want to do is that first I let tshark to read from that pcap file, and then use the time range to filter out all the network flows that are in that time range, and then use the ip addr to filter out all the network flows from that ip addr on that already-filter-out-by-time flows, and then use the tcp port number and the number of packets sent/received by the ip addr to finally locate the flow I want. Then follow this flow/stream and save the whole conversation to a new pcap file.

Anyone can help? I'll be very very appreciate it.

quanta
  • 52,423
Tor
  • 3

2 Answers2

1

See tool for splitting pcap files by TCP connection?, then feel a bit sad that I can't find anything for Linux that will keep a PCAP in proper form and filter by flow. If you can do it without focusing on the flows, then tshark will respect all the normal tcpdump (pdf link) filters. Read in the dump and set the -w output flag and filters and you'll get your leaner file.

Community
  • 1
Jeff Ferland
  • 20,987
1

What I want to do is that first I let tshark to read from that pcap file, and then use the time range to filter out all the network flows that are in that time range

You should do it with editcap:

$ editcap -A "2011-07-12 09:49:16" -B "2011-07-12 09:49:20" in.pcap out.pcap

and then use the ip addr to filter out all the network flows from that ip addr, and then use the tcp port number and the number of packets sent/received by the ip addr to finally locate the flow I want.

$ tshark -r out.pcap -R "ip.addr == $IP && tcp.port == $PORT"

Then follow this flow/stream

$ tshark -r out.pcap -R "ip.addr == $IP && tcp.port == $PORT" \
    -T fields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport | \
    while read line; do tshark -r out.pcap \
        -R "ip.addr == `echo $line | awk '{ print $1 }'` && \
        tcp.port == `echo $line | awk '{ print $2 }'` && \
        ip.addr == `echo $line | awk '{ print $3 }'` && \
        tcp.port == `echo $line | awk '{ print $4 }'`" \     
        echo \
    done
quanta
  • 52,423