Date: Tue, 18 Nov 2008 19:30:39 -0200 From: "Eduardo Meyer" <dudu.meyer@gmail.com> To: stable@freebsd.org, questions@freebsd.org Subject: tcpdump(1) filter by date Message-ID: <d3ea75b30811181330o61fd850du440d9db0790bf1af@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello,
I have a kind big tcpdump file, which has data from the last week. I
want to dump information based on date. Can I do it without generating
a full output and later parse the headers?
Say, I want to filter by date in the <expression> filter and not with
tcpdump -r dumpfile | awk '{<some-black-magic-here}'
Because sometimes I want o search the full packet content (-vvv, -XX,
-T, ...) by date, and as its a huge file, dumpling everthing and
parsing it later on run-time wound consume too much memory (its a
couple of GBs file).
Thank you all, but I could not find a "date" keyword for filtering expression.
However, counting by packets sequence would also fit my needs because
the need is to, say, "analyse until a certain point" and later
"continue analysing from where I stopped", so, lets say
tcpdump -r dumpfile -c 10000
Would allow me to read the first 10000 packets from the dumpfile.
Later I would need to keep doing my job from packet 10001 to 20000.
The "date" question is because I can check the precise epoch timestamp
of the last packet I have read and later, ask tcpdump to print -c
<count> number of packets starting from the epoch-formatted date I
have paused my work later.
Sometimes I will also need this for pflog files, so, I would
appreciate any tips to do this with tcpdump custom files or pflog
generated files if there is anything would fit for one situation but
not for another.
Thank you all in advance.
--
===========
Eduardo Meyer
pessoal: dudu.meyer@gmail.com
profissional: ddm.farmaciap@saude.gov.br
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d3ea75b30811181330o61fd850du440d9db0790bf1af>