In these situations, you will often have no choice but to filter the files from the command line before you can import them into many tools. But you may find yourself responsible for analyzing much larger amounts of network traffic, with file sizes ranging into hundreds of GBs.
The original size of the example capture file at over 31,000 frames was actually fairly small. This overall strategy of filtering a file and saving new output is very useful for trimming large network captures to a manageable size. The following example shows how to save packet output to a new capture file, instead of outputting to text. This is a much smaller number of packets to analyze, and you may be ready at this point to save the resulting packets into a new capture file to load into a GUI analysis program such as Wireshark or Network Miner. This example has shown a reduction in the number of packets to analyze from an original 31263 down to 1072 using tcpdump. The next example shows how the packet number decreases as we successively add these requirements to a tcpdump filter expression. For example, we may be interested in HTTP traffic between the IP addresses 192.168.1.1 and 10.10.10.50 from the intrusion investigation scenario. This is too many frames to simply scan through by hand, so it will need to be filtered down. Reading from file scenario.pcap, link-type EN10MB (Ethernet)Īs expected, we see the output 31263, confirming the capinfos output for number of frames. Since tcpdump outputs one packet per line of text output by default, this should give us the number of packets. We can verify this by reading the network capture and sending the text output to the command wc –l, which will provide a line count. According to the capinfos output, this capture file had over 31,623 frames. In an earlier example, we used the capinfos command to footprint a capture file. Example: Filtering a Capture File to Reduce Size
0 kommentar(er)
