Ask Your Question

Using tshark filters to extract only interesting traffic from 12GB trace

asked 2017-11-29 10:16:45 +0000

ddkk gravatar image

I have a big trace: 12GBytes and I would like to use tshark to filter the traffic I'm interested in. It has the following characteristic: - session ends up in RST - session duration is lower than 30 seconds - session's traffic is between 200KB and 1MB - amount of packets in session is < than 200. Can I use any of the tshark 2 pass filters to only extract packets belonging to these sessions I'm interested in (using any of the criteria above) and drop everything else? I have to make trace smaller by throwing away the data, which is not interesting for the analysis. FYI: capture is between F5 and a server, and IPs pair is fixed, and ports are random, therefore no standard filtering can be applied …

edit retag flag offensive close merge delete


You can try TraceWrangler for this special search, but as far as I know you have to split the 12gb in 2gb files. If it not works than you should follow @grahamb s answer

Christian_R gravatar imageChristian_R ( 2017-11-30 16:44:25 +0000 )edit

1 Answer

Sort by » oldest newest most voted

answered 2017-11-29 10:57:52 +0000

grahamb gravatar image

I think you'll have to use some post processing with a scripting language of your choice.

I would first extract the frame.time and and tcp.flags (using -T fields -e xxx) for packets with a filter of "tcp.flags == 0x2 or tcp.flags.reset == 1" to get the start and end of sessions, then work out the stream indexes for sessions that are less than 30s.

This will give you the stream indexes for sessions that meet the time requirements and these can be used to filter the original file down a bit.

To further filter on session size is a bit trickier, unfortunately the -z conv,tcp option doesn't show the stream indexes although it does show the size. I guess you could do something with the sequence numbers and calculate size that way.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools



Asked: 2017-11-29 10:16:45 +0000

Seen: 3,035 times

Last updated: Nov 29 '17