Ask Your Question
0

Dumpcap/tshark hint on how to use -b filter

asked 2021-07-01 10:06:32 +0000

daje gravatar image

Hi,

reading dumpcap documentation https://www.wireshark.org/docs/man-pa... I got interested in the buffer ring filter packet => "packets:value switch to the next file after it contains value packets.". Do you have any examples or hints on how to use it? Can I write pcap according to packets flags or header information?

Thank you in advance

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-07-01 11:13:37 +0000

grahamb gravatar image

Nope, it's simply a count of the number of packets in the current capture file. In the documentation value is a placeholder for the number of packets.

There are no options to switch to the next file based on what's in the packets as dumpcap doesn't do dissection. Even if using tshark, which does dissect, there are no options to switch to the next file based on packet contents, mainly because it uses the same code as dumpcap.

edit flag offensive delete link more

Comments

Thank you for the answer! Do you have any hint on how to manage a pacp according to packet content. My problem is mainly related to the fact that I have a certain amount of data loss because the file stream gets split between two pcap file, so object extraction just delivers a corrupted file.

daje gravatar imagedaje ( 2021-07-01 11:17:39 +0000 )edit

If the object is split over multiple files you'll need to concatenate them to extract the complete object, i.e. using mergecap.

grahamb gravatar imagegrahamb ( 2021-07-01 11:27:40 +0000 )edit

ok, I think this is the only way. It would be nice to have such "splitting" feature as sniffing filter for tshark. Do you think It is possible, technically speaking? I mean can the dissection be done while sniffing?

daje gravatar imagedaje ( 2021-07-02 05:36:51 +0000 )edit

tshark supports dissection while filtering, at the cost of lower peak capture speeds.

Determining when to split, i.e. all conversations are complete so a new file can be started is a much more difficult thing, you'd need some sort of global conversation tracker and when the other -b options have been met and all conversations are complete then start a new file. I could image if you're capturing on a server your might never get all conversations to the completed state, here would always be at least one in progress.

You could raise an enhancement request for this on the issue tracker.

grahamb gravatar imagegrahamb ( 2021-07-02 07:39:42 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2021-07-01 10:06:32 +0000

Seen: 47 times

Last updated: Jul 01