Hi I'm trying to baseline SYN rates on our network. I have a 145GB pcap and I'm trying to use tshark to extract them. tshark -Y tcp[13]==02 -r "reallybigpcap.cap" -w syns.pcap This eventually fails with an failed to allocate memory error. I think it's trying to load the whole file into ram and fails. Can anyone suggest another tool that can do what I want ? asked 17 Mar '15, 07:30  20fathoms |
2 Answers:
You might first try truncating the file to only the first 66 bytes (IPv4) to limit the amount of additional protocol decoding that tshark needs to do. Use editcap to create a new file. This will only grab the bytes up through the IPv4 header in each packet. Then, re-try your tshark command with the "newsmallercap.cap" file. Tshark will still use up memory, but hopefully less than before. If there's a better way, please let me know too! answered 17 Mar '15, 11:08  zachad |
You can use tcpdump or windump for this purpose as it does not keep (as much) state (as tshark). If the file is still too big to process, you can use editcap to split it into chunks and then process each chunk and then merge the filtered parts back to one file with mergecap. Editcap and mergecap came with wireshark and tcpdump/windump are separate programs. answered 17 Mar '15, 12:05  SYN-bit ♦♦ I wonder if this is a good use case for enhancing By the way, I'll just mention another possible method for getting information from a big file. It involves the use of
(19 Mar '15, 14:44) cmaynard ♦♦ I would rather see editcap extended with capture filter capabilities, seems like a more logical place :-) (19 Mar '15, 15:42) SYN-bit ♦♦ |
thanks all!
If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.