Date: Tue, 30 Apr 2002 16:55:43 -0300 (ART) From: Fernando Gleiser <fgleiser@cactus.fi.uba.ar> To: <cjclark@alum.mit.edu> Cc: <freebsd-questions@FreeBSD.ORG> Subject: Re: tcpdump(8) filtered by time Message-ID: <20020430165309.R85537-100000@localhost> In-Reply-To: <20020430110056.B55983@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 30 Apr 2002, Crist J. Clark wrote:
> Slightly off-topic, but I'd like see if anyone has any ideas.
>
> I have a tcpdump(8) file that spans a few hours. I want to isolate
> an hour somewhere in the middle and dump it to a new file. I can't
> figure out how to do this.
Doesn't tcpslice do something like that?
From tcpslice(1)
DESCRIPTION
Tcpslice is a program for extracting portions of packet-trace files gen-
erated using tcpdump(1)'s -w flag. It can also be used to glue together
several such files, as discussed below.
The basic operation of tcpslice is to copy to stdout all packets from its
input file(s) whose timestamps fall within a given range. The starting
and ending times of the range may be specified on the command line. All
ranges are inclusive. The starting time defaults to the time of the
first packet in the first input file; we call this the first time. The
ending time defaults to ten years after the starting time. Thus, the
command tcpslice trace-file simply copies trace-file to stdout (assuming
the file does not include more than ten years' worth of data).
Hope this helps.
Fer
>
> I know how to workaround the issue to capture packets for 'x' amount
> of time from the begining of the file[0], but I can't come up with a
> way to grab packets starting at an offset somewhere past the beginning
> (either by time or count).
>
> Anyone have any ideas on how to do this? I guess I'm stuck editing the
> binary by hand or making my own tool to mess with the pcap(3) file?
>
> [0] To grab the first 'x' seconds (minutes, whatever), you can first
> dump the file and print the packets. Run the printed output through
> grep(1), awk(1), perl(1), or filter all but the packets up to the time
> you want. Count the number of lines printed with wc(1) (of course,
> with awk(1) or perl(1) you can just do the counting in the script
> itself), and then use the '-c' argument of tcpdump(1),
>
> $ tcpdump -r big.pcap -c <count> -w timed.pcap
>
> So, the abilty to specify arbitrary ranges of packets by count is
> essentially equivalent to being able to do time ranges, but I still
> can't figure out how to start at an offset by count.
> --
> Crist J. Clark | cjclark@alum.mit.edu
> | cjclark@jhu.edu
> http://people.freebsd.org/~cjc/ | cjc@freebsd.org
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020430165309.R85537-100000>