Ask Your Question
0

handling 150mb pcaps

asked 2018-07-10 02:13:07 +0000

kiowa gravatar image

i'm looking for feedback or best practices, or just approaches the community takes with dealing with a whole days worth of pcaps. i'm using security onion. it collects full packet captures for 2 LANs x.x.x.x/21. A lot of traffic. It collects 150MB per packet.

what does anyone do when trying to sift, coordinate, 'get the ful picture.' Currently I am using IDS tools to find a specific time to investigate with the pcap, but i'm doing them one by one. what if you want to expand to an hour of traffic? what if you wanted to look for a trend in traffic that would not be noticed in individual pcaps? how would you handle information for a stream that extends out of the 150mb limit?

edit retag flag offensive close merge delete
add a comment

6 Answers

Sort by » oldest newest most voted
2

answered 2018-07-10 16:15:05 +0000

Jasper gravatar image

I usually throw them all into TraceWrangler at once (as @NJL suggested already), and use the Tools/Communication Details menu option to look at the conversations I need. Double clicking a row extracts all packets of the conversation to a new PCAP and runs Wireshark to open it for investigation.

It's also possible to use extraction tasks to extract only those conversations with a Snort alert to inspect them specificially.

TraceWrangler is available here: https://www.tracewrangler.com

edit flag offensive delete link more

Comments

thanks Jasper. I just read about tracewranger in a wireshark book. i'm going to look into this. Can Wireshark combine multiple pcaps? MergeCap?

kiowa gravatar imagekiowa ( 2018-07-10 17:33:48 +0000 )edit
1

You can merge pcaps by simply dragging all of them onto Wireshark or use the "File->Merge" dialog (requires that you have one PCAP already opened in Wireshark). You can also use the mergecap command-line tool and finally you can also use TraceWrangler to merge captures into one. You could also use tshark to do a commandline analysis of your large capture files, filter what you want and export it to separate files and then merge everything together. Depending on the amount of data this might be the preferred method and simply leave your machine "cooking" overnight etc., but of course it requires you to do some form of scripting (bash/python/BATCH etc.)

NJL gravatar imageNJL ( 2018-07-11 07:14:53 +0000 )edit
add a comment
0

answered 2022-06-10 08:22:27 +0000

khuongnn77 gravatar image

Hello Everyone.

I have a error about vpn site to site

Main purpose use the video conferecen

but when i start the wireshark infor TCP DUP and Retranmission.

Please help me

edit flag offensive delete link more
add a comment
0

answered 2019-12-13 04:33:45 +0000

wbenton gravatar image

I used to work with massive 800MB captures... hundreds of them.

You start using tshark for management like the following:

tshark -i 1 -b filesize:800000 -w 800mb.pcapng

Then you use tshark to read hundreds of files for certain specific things like IP address, http contains, tcp contains, frame contains, etc.

I perform a MSDOS prompt dir and dump the *.pcapng files to a 800mb.txt text file. Read it into Excel using .csv format and then create your recursive search for what ever it is you want for every file in the list. I've used it on up to 233 files x 800MB each and it works.

Cheers,

edit flag offensive delete link more
add a comment
0

answered 2018-07-10 15:05:39 +0000

NJL gravatar image

I can recommend Riverbeds Packet Analyzer. It's very snappy and makes it very easy to work with multi-GB capture files. You can filter and graph almost anything and it's easy to export a selection of traffic to Wireshark for detailed packet-by-packet analysis.

If you're after following specific TCP sessions across multiple capture files I can recommend TraceWrangler. It has it's limitations, bugs etc. but when it works it's great and makes it very easy.

Do you know what you're looking for in your captures or are you looking for something that's just "odd"?

edit flag offensive delete link more
add a comment
0

answered 2018-07-10 13:11:42 +0000

Christian_R gravatar image

The best thing is,when you know for what you are looking for and when it has happened. Otherwise there can be a lot of approaches. But one thing that can work is the graphical analysis. ( Looking for peaks)

edit flag offensive delete link more
add a comment
0

answered 2018-07-10 12:02:07 +0000

thetechfirm gravatar image

I usually slice the packets and try to filter oUT the broadcasts .. assuming that's not an issue.

edit flag offensive delete link more

Comments

yea save filters are very great for things like broadcasts, but when you have 10 pcaps you need to invesetigate bc you need the range of events you can only filter the pcap you have open.

Isn't there MergeCap? Would you use that to import several pcaps into one viewing?

kiowa gravatar imagekiowa ( 2018-07-10 17:29:58 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

subscribe to rss feed

Stats

Asked: 2018-07-10 02:13:07 +0000

Seen: 892 times

Last updated: Jun 10 '22

Related questions

Delay in GOOSE Subscription

What is the syntax for wireshark custom column

Tshark output file problem, saving to csv or txt

How to convert Pcapng file to pcap file by Tshark

Can I create a capture filter on a pcap file

How can I extract parameters from pcap

How to figure out cookies from pcap files?

extract only payload parts of packets of pcap file

Is there a maximum file size for pcap-files?

How to use rawshark to analyse a pcap file which is generated by tcpdump?

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2