thr3ads.net - freebsd stable - tcpdump(1) filter by date [Nov 2008]

If this information is useful, please help other people find it:
Share via:

Eduardo Meyer

2008-Nov-18 13:31 UTC

tcpdump(1) filter by date

Hello,

I have a kind big tcpdump file, which has data from the last week. I
want to dump information based on date. Can I do it without generating
a full output and later parse the headers?

Say, I want to filter by date in the <expression> filter and not with

tcpdump -r dumpfile | awk '{<some-black-magic-here}'

Because sometimes I want o search the full packet content (-vvv, -XX,
-T, ...) by date, and as its a huge file, dumpling everthing and
parsing it later on run-time wound consume too much memory (its a
couple of GBs file).

Thank you all, but I could not find a "date" keyword for filtering
expression.

However, counting by packets sequence would also fit my needs because
the need is to, say, "analyse until a certain point" and later
"continue analysing from where I stopped", so, lets say

tcpdump -r dumpfile -c 10000

Would allow me to read the first 10000 packets from the dumpfile.
Later I would need to keep doing my job from packet 10001 to 20000.
The "date" question is because I can check the precise epoch timestamp
of the last packet I have read and later, ask tcpdump to print -c
<count> number of packets starting from the epoch-formatted date I
have paused my work later.

Sometimes I will also need this for pflog files, so, I would
appreciate any tips to do this with tcpdump custom files or pflog
generated files if there is anything would fit for one situation but
not for another.

Thank you all in advance.



-- 
==========Eduardo Meyer
pessoal: dudu.meyer@gmail.com
profissional: ddm.farmaciap@saude.gov.br

David Wolfskill

2008-Nov-18 13:41 UTC

head link

tcpdump(1) filter by date

[Cross-post to -questions elided, since I saw the message on -stable,
and I'd like to discourage gratuitous cross-posting.  dhw]

On Tue, Nov 18, 2008 at 07:30:39PM -0200, Eduardo Meyer
wrote:> Hello,
> 
> I have a kind big tcpdump file, which has data from the last week. I
> want to dump information based on date. Can I do it without generating
> a full output and later parse the headers?
See the port net/tcpslice.

Here's an excerpt from its man page:

DESCRIPTION
       Tcpslice  is  a  program  for extracting portions of packet-trace files
       generated using tcpdump(l)'s -w flag.  It can also  be  used  to 
merge
       together several such files, as discussed below.
...
       There  are  a number of ways to specify times.  The first is using Unix
       timestamps of the form sssssssss.uuuuuu (this is the  format  specified
       by  tcpdump's -tt flag).  For example, 654321098.7654 specifies 38
sec-
       onds and 765,400 microseconds after 8:51PM PDT, Sept. 25, 1990.
> ...
Peace,
david
-- 
David H. Wolfskill				david@catwhisker.org
Depriving a girl or boy of an opportunity for education is evil.

See http://www.catwhisker.org/~david/publickey.gpg for my public key.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
Url :
http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20081118/ae8239d8/attachment.pgp

freebsd stable - Nov 2008 - tcpdump(1) filter by date

tcpdump(1) filter by date

tcpdump(1) filter by date