This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Save a sorted file using Wireshark

0

I have sorted my 822 MB pcap file by source IP address in ascending order using Wireshark (I tried with tshark on command line, using |sort, but nothing would happen, stalled, had to ^C). Bt now I need to save that sorted display to another pcap file for further filtering. I tried Export>Specified Packets ,and Export>Packet Dissections, and both save the original file, the unsorted one. How can I save this sorted display? Thank you.

asked 19 Nov '16, 22:33

MaryR's gravatar image

MaryR
26558
accept rate: 0%


One Answer:

0

One (slow) way to obtain that goal would be to use scripting. The suggestion below is not tested so you'll probably have to debug it.

At first pass, you'd obtain the list of all source addresses occurring in the capture file, something like:

ip_list = $(tshark -r your/capture/file -T fields -e ip.src | sort -u)

and prepare an empty pcap file to merge the rest with:

tshark -r your/capture/file -Y usb -w your/result/file

Next, you would use a "foreach" cycle over the list:

for ip in $ip_list ; do
    tshark -r your/capture/file -Y "ip.src == $ip" -w /tmp/aux_in_file
    mergecap -a your/result/file /tmp/aux/in_file -w /tmp/aux_out_file
    mv /tmp/aux_out_file your/result/file
done

Clarifications:

  • -Y usb is an example of a display filter which won't let a single frame through if the input has been captured on an Ethernet interface

  • without -w file/name, tshark produces a text output, one line per frame, and sends it to stdout so you pipe it to sort; with -w file/name, the output is a pcap(ng)-formatted file and there is nothing on stdout that sort could handle.

  • the -a option to mergecap makes it append the second input file to the first one, rather than actually merging them, i.e. ordering frames from both up to their timestamps, which is the default behaviour.

answered 20 Nov '16, 01:20

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%