Wireshark-users: Re: [Wireshark-users] Scripts for filtering a directory file captures to only in

From: Estanislao Gonzalez <estanislao.gonzalez@xxxxxxx>
Date: Wed, 29 Sep 2010 16:42:07 +0200
 Hi Phil,

I think you could use something like:

for file in second_dir/*; do
    tcpdump -r $file src net a.a.a.a/x dst net b.b.b.b/y >> $file.filtered
done

You could join all resulting files for a given amount of time with tcpslice if that simple append does not do the trick.

I haven't tested this out, but it should give you a clue as to where to go from this point.

Cheers,
Estani

On 09/29/2010 12:04 AM, Phil_Deming@xxxxxxxxxxxxxxxxx wrote:
       I am running Ubuntu 9.10 Server and am collecting  packets with
TShark 1.4 from about 40 Subnets (Offices)  traversing  my aggregation
Subnet (the Datacenter). There are 9000  64meg files collected per day
before overwriting begins. When a Network question arises, I copy the 1 to
3 hours of files to a 2nd Directory so that they won't be overwritten
later. That's about 180+  64 meg files.
       I need to filter all of the files in the 2nd Directory to create new
files only containing packets from 1 to 4 transmitting or receiving
Subnets. I need all of the IPs from each subnet.
       Next, want to see the "Top Talkers" during this period.  That should
be the easy part.

       I presume grep, bash, awk editcap, tshark, tcpdump are the tools. Can
someone get me started with some scripts / examples?


We commit our personal best to you, every day!

The information transmitted may contain confidential material and is intended only for the person or entity to which it is addressed. Any review, retransmission, dissemination or other use of or taking of any action by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient, please delete the information from your system and contact the sender.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list<wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe



--
Estanislao Gonzalez

Max-Planck-Institut für Meteorologie (MPI-M)
Deutsches Klimarechenzentrum (DKRZ) - German Climate Computing Centre
Room 108 - Bundesstrasse 45a, D-20146 Hamburg, Germany

Phone:   +49 (40) 46 00 94-126
E-Mail:  estanislao.gonzalez@xxxxxxx