Wireshark-users: Re: [Wireshark-users] View Filter -> Capture Filter

From: "Jim Young" <SYSJHY@xxxxxxxxxxxxxxx>
Date: Thu, 26 Oct 2006 10:37:54 -0400
Hello Steven,

>>> <sallas@xxxxxxxxxx> 10/26/06 2:49 AM >>>
> Quoting Stephen Fisher <stephentfisher@xxxxxxxxx>:
> 
> Cheers, I had tried using 'tcp port 389' but in needing to do a 24hr
> capture resulted in a lot of info. Even when splitting the data
amongst
> multiple files resulted in 10Mb x 260 files. Opening this many files
> would be too much. I'm not sure of what the maximum file size
WireShark
> can handle in opening, may give 150Mb a go instead of 10Mb multiple
file
> sizes.

This is where the WireShark command line utilities (tshark, and 
mergecap specifically) really come in handy!

You have a large set of (relatively large) capture files.  You 
can use the "tshark" utility with your desired display filter 
(ldap.authentication == 0) to easily select out a subset of 
the frames from each of the orginal trace files and then write 
this data to a new (filtered) trace files.   Using mergecap you 
can then combine the various filtered trace files into larger 
trace files for subsequent analysis within WireShark itself.

Assuming you have cmd line environment that allows
one to easily iterate (loop) across a set of files you
could something like the following:

#
# In a sh/ksh/bash like environment the following (untested) 
# shell commands would do the following: 
# 
# 1) create a new folder called "filtered".
#
# 2) Execute tshark for each file found in the current directory 
# whose name begins with "myOriginalTraces" and ends with 
# "pcap".  Tshark will use the display filter 'ldap.authentication ==
0'
# to select out a specific subset of frames from the current 
# trace file and write the filtered results to a new trace.  The 
# new trace file will have the same name as the original trace 
# file but will be located in the "./filtered" folder.
#

mkdir filtered

for i in myOriginalTraces*.pcap
do
   tshark -r $i -R 'ldap.authentication == 0' -w ./filtered/$i
done

#
# end of script.
#

In the worst case you can construct and execute a simple 
batch file that accomplishes the same thing...

   mkdir filtered
   tshark -r myOriginalTrace01.pcap -R 'ldap.authentication == 0' -w
./filtered/myOriginalTrace01.pcap
   tshark -r myOriginalTrace02.pcap -R 'ldap.authentication == 0' -w
./filtered/myOriginalTrace02.pcap
   tshark -r myOriginalTrace03.pcap -R 'ldap.authentication == 0' -w
./filtered/myOriginalTrace03.pcap
   [snip]


Afterwards you can then use the mergecap utility to 
combine these newly generated (and filtered) trace files 
into convenient sized units.

I hope this helps.

Jim Young