Ethereal-users: Re: [Ethereal-users] need help creating a complex time filter

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "George P Nychis" <gnychis@xxxxxxx>
Date: Wed, 15 Mar 2006 01:40:25 -0500 (EST)
Is there any way to get it to do actual time instead of relative time?

Also, i get errors trying to run it:
Bareword found where operator expected at split_5m line 23, near ")     
                Net::Pcap::dump_close"
        (Missing operator before Net::Pcap::dump_close?)
Bareword found where operator expected at split_5m line 29, near "Net::Pcap::dump"
        (Missing semicolon on previous line?)
syntax error at split_5m line 23, near ")       
                Net::Pcap::dump_close"
syntax error at split_5m line 29, near "Net::Pcap::dump"
Unmatched right curly bracket at split_5m line 33, at end of line
syntax error at split_5m line 33, near "}"
Execution of split_5m aborted due to compilation errors.


> Errata corrige: line 18: my $ot = int($hdr{tv_sec} / 3600) * 3600;
> 
> On 3/15/06, LEGO <luis.ontanon@xxxxxxxxx> wrote:
>> by relative time...
>> 
>> change line 18 to
>> 
>> my $ot = int($hdr{tv_sec} / 3600);
>> 
>> and line 22 to:
>> 
>> if ($hdr{tv_sec} > $ot + 3600 )
>> 
>> and it will split the file in file containing exact hours.
>> 
>> On 3/15/06, George P Nychis <gnychis@xxxxxxx> wrote:
>>> Is it splitting by relative time or by actual time?
>>> 
>>> 
>>>> be patient... perl is powerful be sure about it but it is slow,
>>>> very slow!
>>>> 
>>>> On 3/15/06, George P Nychis <gnychis@xxxxxxx> wrote:
>>>>> oh awesome, thank you very much for all your help, I will look
>>>>> through your script and use it :)
>>>>> 
>>>>> - George
>>>>> 
>>>>> 
>>>>>> On 3/14/06, George P Nychis <gnychis@xxxxxxx> wrote:
>>>>>>> So can I do wildcards for the date?  Because the log file
>>>>>>> spans over several days and it would just be easier to
>>>>>>> wildcard out the date.
>>>>>> 
>>>>>> No it cannot.
>>>>>> 
>>>>>> Attached you'll find a perl script I wrote a while ago that
>>>>>> splits a capture file in 5m files (starting at X:00 X:05 X:10
>>>>>> X:15 ... ) you can modify it to fit you needs.
>>>>>> 
>>>>>> 
>>>>>>> 
>>>>>>>> ---------- Forwarded message ---------- From: LEGO 
>>>>>>>> <luis.ontanon@xxxxxxxxx> Date: Mar 13, 2006 11:28 PM
>>>>>>>> Subject: Re: [Ethereal-users] tethereal uses too much memory
>>>>>>>> to filter packets from file To: Ethereal user support 
>>>>>>>> <ethereal-users@xxxxxxxxxxxx>
>>>>>>>> 
>>>>>>>> 
>>>>>>>> I just added -A <start time> and -B <stop time> to editcap,
>>>>>>>> this way you can select to have in the file just those
>>>>>>>> packets that happen in a certain period of time.
>>>>>>>> 
>>>>>>>> $ editcap -A '2005-10-10 20:30:15' -B '2005-10-10 20:30:19'
>>>>>>>>  in.pcap out.pcap
>>>>>>>> 
>>>>>>>> This one can filter by date  even a file N times bigger
>>>>>>>> than the ram...
>>>>>>>> 
>>>>>>>> 
>>>>>>>> you can get it 
>>>>>>>> http://www.ethereal.com/distribution/buildbot-builds/ it's
>>>>>>>> on revision 17614 or higher.
>>>>>>>> 
>>>>>>>> L
>>>>>>>> 
>>>>>>>> On 3/14/06, George P Nychis <gnychis@xxxxxxx> wrote:
>>>>>>>>> By the way, multiple tethereal runsare also acceptable,
>>>>>>>>> such as running tethereal 6 times for each experiment to
>>>>>>>>> get the output, then putting all the output together.
>>>>>>>>> However I can't find time wildcards to even accomplish
>>>>>>>>> that...
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>>> Hi,
>>>>>>>>>> 
>>>>>>>>>> I am not sure if calling this complex was the right
>>>>>>>>>> term, however I can't seem to find the exact filter to
>>>>>>>>>> do what I need.
>>>>>>>>>> 
>>>>>>>>>> I ran two sets of experiments and did them within 5
>>>>>>>>>> minutes of each other so that they experienced similar
>>>>>>>>>> network conditions.
>>>>>>>>>> 
>>>>>>>>>> Therefore, experiment one ran on these minutes
>>>>>>>>>> (inclusive) in an hour:
>>>>>>>>>> 00-04,10-14,20-24,30-34,40-44,50-54
>>>>>>>>>> 
>>>>>>>>>> Experiment two ran during these minutes (inclusive) in
>>>>>>>>>> an hour: 05-09,15-19,25-29,35-39,45-49,55-59
>>>>>>>>>> 
>>>>>>>>>> Therefore, I am looking for a filter for
>>>>>>>>>> tethereal/ethereal so that i can see only packets from
>>>>>>>>>> experiment one from a log file.
>>>>>>>>>> 
>>>>>>>>>> I've read about "frame.time", but I can't figure out
>>>>>>>>>> how to do wildcards with it, it always needs a specific
>>>>>>>>>> day attached with it as far as i can tell.
>>>>>>>>>> 
>>>>>>>>>> I'd greatly appreciate any help.
>>>>>>>>>> 
>>>>>>>>>> Thanks! George
>>>>>>>>>> 
>>>>>>>>>> _______________________________________________ 
>>>>>>>>>> Ethereal-users mailing list Ethereal-users@xxxxxxxxxxxx
>>>>>>>>>>  
>>>>>>>>>> http://www.ethereal.com/mailman/listinfo/ethereal-users
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> --
>>>>>>>>> 
>>>>>>>>> _______________________________________________
>>>>>>>>> Ethereal-users mailing list Ethereal-users@xxxxxxxxxxxx 
>>>>>>>>> http://www.ethereal.com/mailman/listinfo/ethereal-users
>>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> -- This information is top security. When you have read it,
>>>>>>>>  destroy yourself. -- Marshall McLuhan 
>>>>>>>> _______________________________________________
>>>>>>>> Ethereal-users mailing list Ethereal-users@xxxxxxxxxxxx 
>>>>>>>> http://www.ethereal.com/mailman/listinfo/ethereal-users
>>>>>>>> 
>>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> --
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> Ethereal-users mailing list Ethereal-users@xxxxxxxxxxxx 
>>>>>>> http://www.ethereal.com/mailman/listinfo/ethereal-users
>>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> -- This information is top security. When you have read it,
>>>>>> destroy yourself. -- Marshall McLuhan 
>>>>>> _______________________________________________ Ethereal-users 
>>>>>> mailing list Ethereal-users@xxxxxxxxxxxx 
>>>>>> http://www.ethereal.com/mailman/listinfo/ethereal-users
>>>>>> 
>>>>> 
>>>>> 
>>>>> --
>>>>> 
>>>>> _______________________________________________ Ethereal-users
>>>>> mailing list Ethereal-users@xxxxxxxxxxxx 
>>>>> http://www.ethereal.com/mailman/listinfo/ethereal-users
>>>>> 
>>>> 
>>>> 
>>>> -- This information is top security. When you have read it, destroy
>>>>  yourself. -- Marshall McLuhan 
>>>> _______________________________________________ Ethereal-users
>>>> mailing list Ethereal-users@xxxxxxxxxxxx 
>>>> http://www.ethereal.com/mailman/listinfo/ethereal-users
>>>> 
>>>> 
>>> 
>>> 
>>> --
>>> 
>>> _______________________________________________ Ethereal-users mailing
>>> list Ethereal-users@xxxxxxxxxxxx 
>>> http://www.ethereal.com/mailman/listinfo/ethereal-users
>>> 
>> 
>> 
>> -- This information is top security. When you have read it, destroy
>> yourself. -- Marshall McLuhan
>> 
> 
> 
> -- This information is top security. When you have read it, destroy
> yourself. -- Marshall McLuhan 
> _______________________________________________ Ethereal-users mailing
> list Ethereal-users@xxxxxxxxxxxx 
> http://www.ethereal.com/mailman/listinfo/ethereal-users
> 
> 


--