Wireshark mailing list archives
Re: Scripts for filtering a directory file captures to only include specific Subnet packets in new files in a new directory
From: Kevin C <ckevinj () gmail com>
Date: Fri, 1 Oct 2010 06:44:47 -0500
Are you using full paths for the files and directories? Often an error like this is just because it can't locate the file or directories and this happens more often when wrapped by the sudo layer. -kc On Sep 30, 2010, at 3:58 PM, Phil_Deming () mechanicsbank com wrote:
Estani, thank you so much for getting me started. That was Great Help ! but now: The Script ran perfectly with the obvious changes needed ! I new the Script was working, B U T, tcpdump comes back with Permission Denied. I chmod to 777 and 755 with no effect. I ran it on Ubuntu 9.10 and 10.04, same results. I googled it and did the 9.04 fix and it didn't fix it. (aa-complain /usr/sbin/tcpdump - This will change it to complain) (aa-enforce /usr/sbin/tcpdump - This will renable the AppArmor profile for tcpdump) When I changed the Script to use tshark it ran perfectly and gave good results. What do I do to fix tcpdump on Ubuntu? Re: [Wireshark-users] Scripts for filtering a directory file captures to only include specific Subnet packets in new files in a new directory (Document link: Phil Deming) Phil Deming to: Estanislao Gonzalez 09/29/2010 09:25 AM Thanks. I'll try it now. Phil Re: [Wireshark-users] Scripts for filtering a directory file captures to only include specific Subnet packets in new files in a new directory Estanislao Gonzalez to: Community support list for Wireshark 09/29/2010 07:42 AM Cc: Phil_Deming From: Estanislao Gonzalez <estanislao.gonzalez () zmaw de> To: Community support list for Wireshark <wireshark-users () wireshark org> Cc: Phil_Deming () mechanicsbank com Hi Phil, I think you could use something like: for file in second_dir/*; do tcpdump -r $file src net a.a.a.a/x dst net b.b.b.b/y >> $file.filtered done You could join all resulting files for a given amount of time with tcpslice if that simple append does not do the trick. I haven't tested this out, but it should give you a clue as to where to go from this point. Cheers, Estani On 09/29/2010 12:04 AM, Phil_Deming () mechanicsbank com wrote:I am running Ubuntu 9.10 Server and am collecting packets with TShark 1.4 from about 40 Subnets (Offices) traversing my aggregation Subnet (the Datacenter). There are 9000 64meg files collected per day before overwriting begins. When a Network question arises, I copy the 1to3 hours of files to a 2nd Directory so that they won't be overwritten later. That's about 180+ 64 meg files. I need to filter all of the files in the 2nd Directory to createnewfiles only containing packets from 1 to 4 transmitting or receiving Subnets. I need all of the IPs from each subnet. Next, want to see the "Top Talkers" during this period. Thatshouldbe the easy part. I presume grep, bash, awk editcap, tshark, tcpdump are the tools.Cansomeone get me started with some scripts / examples? We commit our personal best to you, every day! The information transmitted may contain confidential material and isintended only for the person or entity to which it is addressed. Any review, retransmission, dissemination or other use of or taking of any action by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient, please delete the information from your system and contact the sender.___________________________________________________________________________Sent via: Wireshark-users mailing list<wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-usersmailto:wireshark-users-request () wireshark org?subject=unsubscribe-- Estanislao Gonzalez Max-Planck-Institut für Meteorologie (MPI-M) Deutsches Klimarechenzentrum (DKRZ) - German Climate Computing Centre Room 108 - Bundesstrasse 45a, D-20146 Hamburg, Germany Phone: +49 (40) 46 00 94-126 E-Mail: estanislao.gonzalez () zmaw de We commit our personal best to you, every day! The information transmitted may contain confidential material and is intended only for the person or entity to which it is addressed. Any review, retransmission, dissemination or other use of or taking of any action by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient, please delete the information from your system and contact the sender. ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Re: Scripts for filtering a directory file captures to only include specific Subnet packets in new files in a new directory Kevin C (Oct 01)