Date: Tue, 30 Apr 2002 11:00:56 -0700 From: "Crist J. Clark" <crist.clark@attbi.com> To: freebsd-questions@freebsd.org Subject: tcpdump(8) filtered by time Message-ID: <20020430110056.B55983@blossom.cjclark.org>
next in thread | raw e-mail | index | archive | help
Slightly off-topic, but I'd like see if anyone has any ideas.
I have a tcpdump(8) file that spans a few hours. I want to isolate
an hour somewhere in the middle and dump it to a new file. I can't
figure out how to do this.
I know how to workaround the issue to capture packets for 'x' amount
of time from the begining of the file[0], but I can't come up with a
way to grab packets starting at an offset somewhere past the beginning
(either by time or count).
Anyone have any ideas on how to do this? I guess I'm stuck editing the
binary by hand or making my own tool to mess with the pcap(3) file?
[0] To grab the first 'x' seconds (minutes, whatever), you can first
dump the file and print the packets. Run the printed output through
grep(1), awk(1), perl(1), or filter all but the packets up to the time
you want. Count the number of lines printed with wc(1) (of course,
with awk(1) or perl(1) you can just do the counting in the script
itself), and then use the '-c' argument of tcpdump(1),
$ tcpdump -r big.pcap -c <count> -w timed.pcap
So, the abilty to specify arbitrary ranges of packets by count is
essentially equivalent to being able to do time ranges, but I still
can't figure out how to start at an offset by count.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020430110056.B55983>