Ask Your Question
0

Using tshark filters to extract only interesting traffic from 12GB trace

asked 2017-11-29 10:16:45 +0000

ddkk gravatar image

I have a big trace: 12GBytes and I would like to use tshark to filter the traffic I'm interested in. It has the following characteristic: - session ends up in RST - session duration is lower than 30 seconds - session's traffic is between 200KB and 1MB - amount of packets in session is < than 200. Can I use any of the tshark 2 pass filters to only extract packets belonging to these sessions I'm interested in (using any of the criteria above) and drop everything else? I have to make trace smaller by throwing away the data, which is not interesting for the analysis. FYI: capture is between F5 and a server, and IPs pair is fixed, and ports are random, therefore no standard filtering can be applied …

edit retag flag offensive close merge delete

Comments

You can try TraceWrangler for this special search, but as far as I know you have to split the 12gb in 2gb files. If it not works than you should follow @grahamb s answer

Christian_R gravatar imageChristian_R ( 2017-11-30 16:44:25 +0000 )edit
add a comment

1 Answer

Sort by » oldest newest most voted
1

answered 2017-11-29 10:57:52 +0000

grahamb gravatar image

I think you'll have to use some post processing with a scripting language of your choice.

I would first extract the frame.time and tcp.stream and tcp.flags (using -T fields -e xxx) for packets with a filter of "tcp.flags == 0x2 or tcp.flags.reset == 1" to get the start and end of sessions, then work out the stream indexes for sessions that are less than 30s.

This will give you the stream indexes for sessions that meet the time requirements and these can be used to filter the original file down a bit.

To further filter on session size is a bit trickier, unfortunately the -z conv,tcp option doesn't show the stream indexes although it does show the size. I guess you could do something with the sequence numbers and calculate size that way.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

subscribe to rss feed

Stats

Asked: 2017-11-29 10:16:45 +0000

Seen: 3,153 times

Last updated: Nov 29 '17

Related questions

Resolve frame subtype and export to csv

Why did file size become bigger after applying filtering on tshark?

how to capture udp traffic with a length of 94

Capture incoming packets from remote web server

Localhost capturing

How to filter out TCP retransmissions

Deduplication in tshark -T ek [closed]

filtering out protocol, sequence number, and ack using tshark

My UDP packets aren't showing

Capture Filters - SSL Handshake or HEX