From owner-freebsd-questions@FreeBSD.ORG  Tue Nov 18 21:30:41 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 603631065670
	for <questions@freebsd.org>; Tue, 18 Nov 2008 21:30:41 +0000 (UTC)
	(envelope-from dudu.meyer@gmail.com)
Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.241])
	by mx1.freebsd.org (Postfix) with ESMTP id 152438FC1E
	for <questions@freebsd.org>; Tue, 18 Nov 2008 21:30:40 +0000 (UTC)
	(envelope-from dudu.meyer@gmail.com)
Received: by an-out-0708.google.com with SMTP id b6so1342573ana.13
	for <questions@freebsd.org>; Tue, 18 Nov 2008 13:30:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:received:message-id:date:from:to
	:subject:mime-version:content-type:content-transfer-encoding
	:content-disposition;
	bh=pfheWpyScQYNfECQr5JoN/hJbX4OX6Dka1vH5rxKYqg=;
	b=NfNAA9IpoRI6HU4DfikBmf7IFa8c+I2R08+n3wwWvE+9a7hhSiGHSvjd8Qf5w3itZB
	WB3tpc11a6H/jffZD8+olNZVEGDurvNk5IdMhsDNsicCGvt9IyJBZLSRQm9kHOEBNY1F
	d5f6kn++oni16rQgnvfaUQZDTj5hCeiccmJVc=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=message-id:date:from:to:subject:mime-version:content-type
	:content-transfer-encoding:content-disposition;
	b=ZBWOTHeUZmMtGQfQW2iMkohxyZuQLCTldBTWonV67u+JUWI0Fpmf7h1mPLabmVjK27
	YBrmzWCQbisBsyXuUL1koWxJ8bpHzPdKL3g1nSSJFPAuzvugCUEPIufUPiKqBgrQ9iV5
	XYIqL1y13CwJZF1GBUqxLcDMhNYoVlrHDQtjA=
Received: by 10.143.43.7 with SMTP id v7mr132933wfj.192.1227043839841;
	Tue, 18 Nov 2008 13:30:39 -0800 (PST)
Received: by 10.142.229.10 with HTTP; Tue, 18 Nov 2008 13:30:39 -0800 (PST)
Message-ID: <d3ea75b30811181330o61fd850du440d9db0790bf1af@mail.gmail.com>
Date: Tue, 18 Nov 2008 19:30:39 -0200
From: "Eduardo Meyer" <dudu.meyer@gmail.com>
To: stable@freebsd.org, questions@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Cc: 
Subject: tcpdump(1) filter by date
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Nov 2008 21:30:41 -0000

Hello,

I have a kind big tcpdump file, which has data from the last week. I
want to dump information based on date. Can I do it without generating
a full output and later parse the headers?

Say, I want to filter by date in the <expression> filter and not with

tcpdump -r dumpfile | awk '{<some-black-magic-here}'

Because sometimes I want o search the full packet content (-vvv, -XX,
-T, ...) by date, and as its a huge file, dumpling everthing and
parsing it later on run-time wound consume too much memory (its a
couple of GBs file).

Thank you all, but I could not find a "date" keyword for filtering expression.

However, counting by packets sequence would also fit my needs because
the need is to, say, "analyse until a certain point" and later
"continue analysing from where I stopped", so, lets say

tcpdump -r dumpfile -c 10000

Would allow me to read the first 10000 packets from the dumpfile.
Later I would need to keep doing my job from packet 10001 to 20000.
The "date" question is because I can check the precise epoch timestamp
of the last packet I have read and later, ask tcpdump to print -c
<count> number of packets starting from the epoch-formatted date I
have paused my work later.

Sometimes I will also need this for pflog files, so, I would
appreciate any tips to do this with tcpdump custom files or pflog
generated files if there is anything would fit for one situation but
not for another.

Thank you all in advance.



-- 
===========
Eduardo Meyer
pessoal: dudu.meyer@gmail.com
profissional: ddm.farmaciap@saude.gov.br