Ask Your Question
0

Why did file size become bigger after applying filtering on tshark?

asked 2018-04-07 05:30:32 +0000

yyl05 gravatar image

Hello all,

I have a large pcap file that is ~ 5.16GB and I would like to reduce it to a smaller size by filtering out a list of ip addresses. I used the following command on tshark:

   C:\Program Files\Wireshark>tshark -r C:\Users\-\Desktop\Botnet-Training.pcap -Y "not(ip.addr==147.32.84.150 or ip.addr==147.32.84.140 or ip.addr==147.32.84.130 or ip.addr==147.32.84.160 or ip.addr==10.0.2.15 or ip.addr==192.168.106.141 or ip.addr==192.168.106.131 or ip.addr==172.16.253.130 or ip.addr==172.16.253.131 or ip.addr==172.16.253.129 or ip.addr==172.16.253.240 or ip.addr==74.78.117.238 or ip.addr==158.65.110.24 or ip.addr==192.168.3.35 or ip.addr==192.168.3.25 or ip.addr==192.168.3.65 or ip.addr==172.29.0.116 or ip.addr==172.29.0.109 or ip.addr==172.16.253.132 or ip.addr==192.168.248.165 or ip.addr==10.37.130.4)" -w C:\Users\-\Desktop\FYP\reduced.pcap

However, I got a file size of ~5.22GB instead.

Any suggestions on why?

Thank you very much

edit retag flag offensive close merge delete

Comments

What is printed if, in the Wireshark directory, you run

capinfos C:\Users\-\Desktop\Botnet-Training.pcap C:\Users\-\Desktop\FYP\reduced.pcap
Guy Harris gravatar imageGuy Harris ( 2018-04-07 05:51:38 +0000 )edit

Hello Guy Harris,

I got the following:

File name:         C:\Users\-\Desktop\Botnet-Training.pcap
File type:           Wireshark/tcpdump/... - pcap
File encapsulation:  Ethernet
File timestamp precision:  microseconds (6)
Packet size limit:   file hdr: 65535 bytes
Number of packets:   9388 k
File size:           5265 MB
Data size:           5115 MB
Capture duration:    121897416.419076 sec
First packet time:   2007-10-08 21:21:55.749708
Last packet time:    2011-08-19 17:45:32.168784
Data byte rate:      41 bytes/s
Data bit rate:       335 bits/s
Average packet size: 544.84 bytes
Average packet rate: 0 packets/s
SHA1:                7f23d8ed9bf098280298cc931e7f8f8b1b9b1f01
RIPEMD160:           e2d13c8f22440588c9723bec7729dca77ef73e09
MD5:                 0ea0131714c2b7dbdba4fd214f129fc7
Strict time order:   False
Number of interfaces in file: 1
Interface #0 info:
                     Encapsulation = Ethernet (1 - ether)
                     Capture length = 65535
                     Time precision = microseconds (6)
                     Time ticks per second = 1000000
                     Number of stat entries = 0
                     Number of packets = 9388270

File name:           C:\Users\-\Desktop\FYP\reduced.pcap
File type:           Wireshark/... - pcapng
File encapsulation ...
(more)
yyl05 gravatar imageyyl05 ( 2018-04-07 06:31:00 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-04-07 11:33:53 +0000

Jaap gravatar image

You started off with a PCAP format file and ended up with a PCAPNG format file. So even though the amount of frames is probably reduced, the file format itself is more 'bloated', so the file size reduction is negated.

Try adding the -F pcap option to the command line to force the output format to match the input format, and see what happens.

edit flag offensive delete link more

Comments

Yeap that solves it, thanks a bunch!

yyl05 gravatar imageyyl05 ( 2018-04-07 17:20:31 +0000 )edit

The number of frames was reduced, as per the capinfos output above, but it wasn't reduced by much - 9388270 packets to 9342486 packets - so the additional size of each frame record in pcapng outweighed the reduced number of records.

Guy Harris gravatar imageGuy Harris ( 2018-04-07 17:50:26 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-04-07 05:30:32 +0000

Seen: 1,352 times

Last updated: Apr 07 '18