From owner-freebsd-stable@FreeBSD.ORG Wed Nov 19 05:03:09 2008 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C57771065672 for ; Wed, 19 Nov 2008 05:03:09 +0000 (UTC) (envelope-from zbeeble@gmail.com) Received: from yx-out-2324.google.com (yx-out-2324.google.com [74.125.44.30]) by mx1.freebsd.org (Postfix) with ESMTP id 71D558FC17 for ; Wed, 19 Nov 2008 05:03:09 +0000 (UTC) (envelope-from zbeeble@gmail.com) Received: by yx-out-2324.google.com with SMTP id 8so1381580yxb.13 for ; Tue, 18 Nov 2008 21:03:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type:references; bh=zGLnX5xiC1KmB0hpFSvO2mRuoxaeUy4IsLiFNZSYdN4=; b=C86USf1wbcx1RfM/SML/VmmQzBk6UxMu/xQZziTFvHYXyzkdfvFPKATIzziqowgluB MUspt11cbQEKTy911pKRbGfQixRYw9Kqaiyv7DTubc/SHvCYwiArpmu4/BkFhRyquD1G +8wEBRwn2k5kPXAy4OInZ6WrFAj4oq2RPhX3g= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:references; b=WhlipF9JCnLlhOL7CsB4/S2RFZzVkoUcxoSCs33yLihmH1/k3dspA1I3xo5aA0rShy paPETYcUzweN58qQFzl4QMyiRcgMwJbDlCDPGy7a3wX1bIAoQSfkzXyN+DzqGW/7ddKP Tkg042tQ4zaBpISi1jV4ZdMrx0+uWy9Qtl3G0= Received: by 10.151.108.3 with SMTP id k3mr1271070ybm.235.1227069750494; Tue, 18 Nov 2008 20:42:30 -0800 (PST) Received: by 10.151.72.7 with HTTP; Tue, 18 Nov 2008 20:42:30 -0800 (PST) Message-ID: <5f67a8c40811182042n50555d5fqb873efcb9b0343d7@mail.gmail.com> Date: Tue, 18 Nov 2008 23:42:30 -0500 From: "Zaphod Beeblebrox" To: "David Wolfskill" , "Eduardo Meyer" , stable@freebsd.org In-Reply-To: <20081118214105.GL83287@bunrab.catwhisker.org> MIME-Version: 1.0 References: <20081118214105.GL83287@bunrab.catwhisker.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: tcpdump(1) filter by date X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Nov 2008 05:03:09 -0000 I don't know whether or not this has been fixed, but I found that I had to recompile tcpslice and/or tcpdump to deal with files larger than 4 gig (or maybe 2 gig). I suppose it's a better situation than wireshark. After a few million packets, it falls over because it makes the widgets in the scroller window for every packet in the file that's visible with the current filter. The memory from these widgets gets big fast. On a 64 bit machine ... you can analyze a larger file --- and suck down a lot of swap... but on a 32 bit machine, you run out of address space quickly. On Tue, Nov 18, 2008 at 4:41 PM, David Wolfskill wrote: > [Cross-post to -questions elided, since I saw the message on -stable, > and I'd like to discourage gratuitous cross-posting. dhw] > > On Tue, Nov 18, 2008 at 07:30:39PM -0200, Eduardo Meyer wrote: > > Hello, > > > > I have a kind big tcpdump file, which has data from the last week. I > > want to dump information based on date. Can I do it without generating > > a full output and later parse the headers? > > See the port net/tcpslice. > > Here's an excerpt from its man page: > > DESCRIPTION > Tcpslice is a program for extracting portions of packet-trace > files > generated using tcpdump(l)'s -w flag. It can also be used to > merge > together several such files, as discussed below. > ... > There are a number of ways to specify times. The first is using > Unix > timestamps of the form sssssssss.uuuuuu (this is the format > specified > by tcpdump's -tt flag). For example, 654321098.7654 specifies 38 > sec- > onds and 765,400 microseconds after 8:51PM PDT, Sept. 25, 1990. > > > ... > > Peace, > david > -- > David H. Wolfskill david@catwhisker.org > Depriving a girl or boy of an opportunity for education is evil. > > See http://www.catwhisker.org/~david/publickey.gpgfor my public key. >