wireshark-users October 2010 archive
Main Archive Page > Month Archives  > wireshark-users archives
wireshark-users: Re: [Wireshark-users] Scripts for filtering a d

Re: [Wireshark-users] Scripts for filtering a directory file captures to only include specific Subnet packets in new files in a new directory

From: Estanislao Gonzalez <estanislao.gonzalez_at_nospam>
Date: Fri Oct 01 2010 - 10:48:12 GMT
To: Phil_Deming@mechanicsbank.com

  Well aparently it should: http://ubuntuforums.org/showthread.php?t=527976
what's the error exactly and does tcpdump breaks when run only inside
the script or always?

On 10/01/2010 12:44 PM, Phil_Deming@mechanicsbank.com wrote:
>
> Thanks for staying with me.
>
> I did sudo. Is that not good enough?
>
>
>
>
>
>
>
> Re: [Wireshark-users] Scripts for filtering a directory file captures to
> only include specific Subnet packets in new files in a new directory
>
>
> Estanislao Gonzalez
> to:
> Phil_Deming
> 10/01/2010 03:08 AM
>
>
>
>
> Cc:
> wireshark-users
>
>
>
>
>
>
>
>
>
>
> As far as I know you need to be root to run tcpdump, and it's not
> because of the program but because the program needs to access the kernel.
>
>
>
> On 09/30/2010 10:58 PM, Phil_Deming@mechanicsbank.com wrote:
>> Estani, thank you so much for getting me started. That was Great Help !
>> but now:
>>
>> The Script ran perfectly with the obvious changes needed !
>> I new the Script was working, B U T, tcpdump comes back with Permission
>> Denied. I chmod to 777 and 755 with no effect.
>> I ran it on Ubuntu 9.10 and 10.04, same results. I googled it and did the
>> 9.04 fix and it didn't fix it.
>> (aa-complain /usr/sbin/tcpdump - This will change it to complain)
>> (aa-enforce /usr/sbin/tcpdump - This will renable the AppArmor
> profile
>> for tcpdump)
>> When I changed the Script to use tshark it ran perfectly and gave good
>> results.
>> What do I do to fix tcpdump on Ubuntu?
>>
>>
>>
>>
>>
>> Re: [Wireshark-users] Scripts for filtering a directory file captures
> to
>> only include specific Subnet packets in new files in a new directory
>> (Document link: Phil Deming)
>>
>>
>> Phil Deming
>> to:
>> Estanislao Gonzalez
>> 09/29/2010 09:25
> AM
>>
>>
>>
>>
>>
>>
>> Thanks. I'll try it now. Phil
>>
>>
>>
>>
>>
>> Re: [Wireshark-users] Scripts for filtering a directory file captures
> to
>> only include specific Subnet packets in new files in a new directory
>>
>>
>> Estanislao Gonzalez
>> to:
>> Community support list for Wireshark
>> 09/29/2010 07:42
> AM
>>
>>
>>
>> Cc:
>> Phil_Deming
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> From: Estanislao Gonzalez<estanislao.gonzalez@zmaw.de>
>>
>>
>>
>> To: Community support list for
> Wireshark<wireshark-users@wireshark.org>
>>
>>
>> Cc: Phil_Deming@mechanicsbank.com
>>
>>
>>
>>
>>
>>
>>
>> Hi Phil,
>>
>> I think you could use something like:
>>
>> for file in second_dir/*; do
>> tcpdump -r $file src net a.a.a.a/x dst net b.b.b.b/y>>
> $file.filtered
>> done
>>
>> You could join all resulting files for a given amount of time with
>> tcpslice if that simple append does not do the trick.
>>
>> I haven't tested this out, but it should give you a clue as to where to
>> go from this point.
>>
>> Cheers,
>> Estani
>>
>> On 09/29/2010 12:04 AM, Phil_Deming@mechanicsbank.com wrote:
>>> I am running Ubuntu 9.10 Server and am collecting packets with
>>> TShark 1.4 from about 40 Subnets (Offices) traversing my aggregation
>>> Subnet (the Datacenter). There are 9000 64meg files collected per day
>>> before overwriting begins. When a Network question arises, I copy the 1
>> to
>>> 3 hours of files to a 2nd Directory so that they won't be overwritten
>>> later. That's about 180+ 64 meg files.
>>> I need to filter all of the files in the 2nd Directory to create
>> new
>>> files only containing packets from 1 to 4 transmitting or receiving
>>> Subnets. I need all of the IPs from each subnet.
>>> Next, want to see the "Top Talkers" during this period. That
>> should
>>> be the easy part.
>>>
>>> I presume grep, bash, awk editcap, tshark, tcpdump are the
> tools.
>> Can
>>> someone get me started with some scripts / examples?
>>>
>>>
>>> We commit our personal best to you, every day!
>>>
>>> The information transmitted may contain confidential material and is
>> intended only for the person or entity to which it is addressed. Any
>> review, retransmission, dissemination or other use of or taking of any
>> action by persons or entities other than the intended recipient is
>> prohibited. If you are not the intended recipient, please delete the
>> information from your system and contact the sender.
>>
> ___________________________________________________________________________
>>> Sent via: Wireshark-users mailing list<wireshark-users@wireshark.org>
>>> Archives: http://www.wireshark.org/lists/wireshark-users
>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>
>> mailto:wireshark-users-request@wireshark.org?subject=unsubscribe
>>
>> --
>> Estanislao Gonzalez
>>
>> Max-Planck-Institut für Meteorologie (MPI-M)
>> Deutsches Klimarechenzentrum (DKRZ) - German Climate Computing Centre
>> Room 108 - Bundesstrasse 45a, D-20146 Hamburg, Germany
>>
>> Phone: +49 (40) 46 00 94-126
>> E-Mail: estanislao.gonzalez@zmaw.de
>>
>>
>>
>>
>>
>> We commit our personal best to you, every day!
>>
>> The information transmitted may contain confidential material and is
> intended only for the person or entity to which it is addressed. Any
> review, retransmission, dissemination or other use of or taking of any
> action by persons or entities other than the intended recipient is
> prohibited. If you are not the intended recipient, please delete the
> information from your system and contact the sender.
>
> --
> Estanislao Gonzalez
>
> Max-Planck-Institut für Meteorologie (MPI-M)
> Deutsches Klimarechenzentrum (DKRZ) - German Climate Computing Centre
> Room 108 - Bundesstrasse 45a, D-20146 Hamburg, Germany
>
> Phone: +49 (40) 46 00 94-126
> E-Mail: estanislao.gonzalez@zmaw.de
>
>
>
>
> We commit our personal best to you, every day!
>
> The information transmitted may contain confidential material and is intended only for the person or entity to which it is addressed. Any review, retransmission, dissemination or other use of or taking of any action by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient, please delete the information from your system and contact the sender.
>

-- Estanislao Gonzalez Max-Planck-Institut für Meteorologie (MPI-M) Deutsches Klimarechenzentrum (DKRZ) - German Climate Computing Centre Room 108 - Bundesstrasse 45a, D-20146 Hamburg, Germany Phone: +49 (40) 46 00 94-126 E-Mail: estanislao.gonzalez@zmaw.de ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request@wireshark.org?subject=unsubscribe