Wireshark-users: Re: [Wireshark-users] how do I extract these packets with editcap?

From: Martin Visser <martinvisser99@xxxxxxxxx>
Date: Sat, 7 Apr 2012 22:25:41 +1000
Marilo,

I just did some testing, and it confirmed my thoughts from the editcap man page. The -A and -B switches are only good to the nearest second.

So, 'editcap  -A "2012-04-07 22:11:14" -B "2012-04-07 22:11:14" /tmp/f.pcap  /tmp/o.pcap' has the same effect as 

'editcap  -A "2012-04-07 22:11:14.11" -B "2012-04-07 22:11:14.12" /tmp/f.pcap  /tmp/o.pcap' Both edit out 1 second of packets.

If you need  a more precise edit, use the packet numbers, something like - 'editcap   /tmp/f.pcap  /tmp/o.pcap 11-12' 

 

Regards, Martin

MartinVisser99@xxxxxxxxx


On 6 April 2012 08:21, Marilo <narium85-mlscar@xxxxxxxxxxx> wrote:
Here is a sample from my file

I want to extract a specific packet or range of packets, based on time.



C:\sdf>tshark -t ad -r ga.pcap | head -n 6
2161 2012-04-02 08:49:22.022227 192.168.1.66 -> 192.168.1.65 TCP
1085 2012-04-02 08:49:22.022329 192.168.1.65 -> 192.168.1.66 TCP
2161 2012-04-02 08:49:22.022481 192.168.1.66 -> 192.168.1.65 TCP
2162 2012-04-02 08:49:22.023061 192.168.1.66 -> 192.168.1.65 TCP
1085 2012-04-02 08:49:22.023103 192.168.1.65 -> 192.168.1.66 TCP
2162 2012-04-02 08:49:22.023236 192.168.1.66 -> 192.168.1.65 TCP

C:\sdf>tshark -r ga.pcap | head -n 6
2161   0.000000 192.168.1.66 -> 192.168.1.65 TCP 66 1085 2161
1085   0.000102 192.168.1.65 -> 192.168.1.66 TCP 66 2161 1085
2161   0.000254 192.168.1.66 -> 192.168.1.65 TCP 60 1085 2161
2162   0.000834 192.168.1.66 -> 192.168.1.65 TCP 66 1085 2162
1085   0.000876 192.168.1.65 -> 192.168.1.66 TCP 66 2162 1085
2162   0.001009 192.168.1.66 -> 192.168.1.65 TCP 60 1085 2162

I'd like to use the -r format since it's more abbreviated, but anyhow, trying with the longer format
I tried this line
C:\sdf>editcap -r -A "2012-04-02 08:49:22.022227"  ga.pcap gaa.pcap

and I found that it created a new file gaa.pcap but exactly the same size as ga.pcap  as if I hadn't done the -A switch.

If I can get -A and -B to work then I suppose I could extract ranges of packets, or specific ones, but I can't get -A to work there when I tried it.

I'd also like to know if there is any other unique identifier with the packet maybe an absolute sequence number, and how to extract it based on that..

Though I can't even get the time one to work at the moment.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe