Argument List too Long

Question

Hello,

I've written this simple script for tshark. What it does is extract all of the TCP connections that contain a SYN packet within the capture.

#!/bin/bash
file=$1
outfile=$2
string=""
counter=0
for src in tshark -r $file -R &quot;tcp.flags.syn == 1&quot; -T fields -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport | cut -d &#39; &#39; -f1-4
do
if [ $counter == 0 ]; then
string=$string"(ip.src == $src && "
elif [ $counter == 1 ]; then
string=$string"ip.dst == $src && "
elif [ $counter == 2 ]; then
string=$string"tcp.srcport == $src && "
else
string=$string"tcp.dstport == $src) || "
fi
if [ $counter == 3 ]; then
    let counter=0
else
    let counter=$counter+1
fi 

done
string=${string%????}
tshark -r $file -R "$string" -w "$outfile"

My problem is, for large .pcap files, I get an “argument list too long” error when executing the final tshark command. I assume my filter grows too large.

Is there any scripting wizardry that would allow me to duplicate my expected results without getting an “argument list too long” error?

Answer 1

You could make the filter smaller by using the "tcp.stream==<x>" filter instead of two ip/ip/port/port filters per connection. This would change your script into:

#!/bin/bash
file=$1
outfile=$2
filter=""
for stream in tshark -r $file -R &quot;tcp.flags.syn == 1 &amp;&amp; tcp.flags.ack==0&quot; -T fields -e tcp.stream
do
filter=$filter"tcp.stream==$stream||"
done
string=${string%??}
tshark -r $file -w "$outfile" $filter

Of course that only helps to a certain amount. If you really want to be safe in all situations, you can loop through all the tcp sessions and filter them out individually into new files and then merge them all together with mergecap afterwards. But that’s uhmm… well, nit very efficient ;-)