From owner-freebsd-questions Tue Apr 30 11: 1:17 2002 Delivered-To: freebsd-questions@freebsd.org Received: from rwcrmhc54.attbi.com (rwcrmhc54.attbi.com [216.148.227.87]) by hub.freebsd.org (Postfix) with ESMTP id C4A1C37B432 for ; Tue, 30 Apr 2002 11:00:56 -0700 (PDT) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc54.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020430180056.ZZPC2627.rwcrmhc54.attbi.com@blossom.cjclark.org> for ; Tue, 30 Apr 2002 18:00:56 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g3UI0ue56038 for freebsd-questions@freebsd.org; Tue, 30 Apr 2002 11:00:56 -0700 (PDT) (envelope-from cjc) Date: Tue, 30 Apr 2002 11:00:56 -0700 From: "Crist J. Clark" To: freebsd-questions@freebsd.org Subject: tcpdump(8) filtered by time Message-ID: <20020430110056.B55983@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Slightly off-topic, but I'd like see if anyone has any ideas. I have a tcpdump(8) file that spans a few hours. I want to isolate an hour somewhere in the middle and dump it to a new file. I can't figure out how to do this. I know how to workaround the issue to capture packets for 'x' amount of time from the begining of the file[0], but I can't come up with a way to grab packets starting at an offset somewhere past the beginning (either by time or count). Anyone have any ideas on how to do this? I guess I'm stuck editing the binary by hand or making my own tool to mess with the pcap(3) file? [0] To grab the first 'x' seconds (minutes, whatever), you can first dump the file and print the packets. Run the printed output through grep(1), awk(1), perl(1), or filter all but the packets up to the time you want. Count the number of lines printed with wc(1) (of course, with awk(1) or perl(1) you can just do the counting in the script itself), and then use the '-c' argument of tcpdump(1), $ tcpdump -r big.pcap -c -w timed.pcap So, the abilty to specify arbitrary ranges of packets by count is essentially equivalent to being able to do time ranges, but I still can't figure out how to start at an offset by count. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message