0

I don't have any base knowledge about tshark, and it is hard to find any tutorial to help me with this.

So now I have a pcap file which consists a lot of network flows; a time range; an ip addr; a tcp port number; the number of packets sent by the ip addr OR the number of packets received by the ip addr.

What I want to do is that first I let tshark to read from that pcap file, and then use the time range to filter out all the network flows that are in that time range, and then use the ip addr to filter out all the network flows from that ip addr on that already-filter-out-by-time flows, and then use the tcp port number and the number of packets sent/received by the ip addr to finally locate the flow I want. Then follow this flow/stream and save the whole conversation to a new pcap file.

Anyone can help? I'll be very very appreciate it.

quanta
  • 50,327
  • 19
  • 152
  • 213
Tor
  • 3
  • 3
  • wireshark is the gui version of tshark... would that possibly work? It makes it easy to apply filters to the display and save the results. I'm not sure if tshark can filter by conversation flow. – Jeff Ferland Oct 11 '11 at 18:12
  • I use wireshark to capture the network flows and generate that pcap file. But I am writing a program in tcl that will need to be able to call the tshark to get the filtered pcap I want. lol thanks. – Tor Oct 11 '11 at 18:18
  • http://serverfault.com/questions/309766/how-can-i-display-filter-the-correspondant-response-to-a-specific-display-filtere – quanta Oct 12 '11 at 07:09

2 Answers2

1

See tool for splitting pcap files by TCP connection?, then feel a bit sad that I can't find anything for Linux that will keep a PCAP in proper form and filter by flow. If you can do it without focusing on the flows, then tshark will respect all the normal tcpdump (pdf link) filters. Read in the dump and set the -w output flag and filters and you'll get your leaner file.

Community
  • 1
Jeff Ferland
  • 20,239
  • 2
  • 61
  • 85
  • I just had a look at the reference http://serverfault.com/questions/273066/tool-for-splitting-pcap-files-by-tcp-connection, and it is the thing very similar to what I want to do. Thank you again! – Tor Oct 11 '11 at 18:49
0

What I want to do is that first I let tshark to read from that pcap file, and then use the time range to filter out all the network flows that are in that time range

You should do it with editcap:

$ editcap -A "2011-07-12 09:49:16" -B "2011-07-12 09:49:20" in.pcap out.pcap

and then use the ip addr to filter out all the network flows from that ip addr, and then use the tcp port number and the number of packets sent/received by the ip addr to finally locate the flow I want.

$ tshark -r out.pcap -R "ip.addr == $IP && tcp.port == $PORT"

Then follow this flow/stream

$ tshark -r out.pcap -R "ip.addr == $IP && tcp.port == $PORT" \
    -T fields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport | \
    while read line; do tshark -r out.pcap \
        -R "ip.addr == `echo $line | awk '{ print $1 }'` && \
        tcp.port == `echo $line | awk '{ print $2 }'` && \
        ip.addr == `echo $line | awk '{ print $3 }'` && \
        tcp.port == `echo $line | awk '{ print $4 }'`" \     
        echo \
    done
quanta
  • 50,327
  • 19
  • 152
  • 213