From owner-freebsd-stable@FreeBSD.ORG Tue Nov 18 21:41:06 2008 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AB30A1065674 for ; Tue, 18 Nov 2008 21:41:06 +0000 (UTC) (envelope-from david@catwhisker.org) Received: from bunrab.catwhisker.org (adsl-63-193-123-122.dsl.snfc21.pacbell.net [63.193.123.122]) by mx1.freebsd.org (Postfix) with ESMTP id 78D0F8FC13 for ; Tue, 18 Nov 2008 21:41:06 +0000 (UTC) (envelope-from david@catwhisker.org) Received: from bunrab.catwhisker.org (localhost [127.0.0.1]) by bunrab.catwhisker.org (8.13.3/8.13.3) with ESMTP id mAILf5UM015347; Tue, 18 Nov 2008 13:41:05 -0800 (PST) (envelope-from david@bunrab.catwhisker.org) Received: (from david@localhost) by bunrab.catwhisker.org (8.13.3/8.13.1/Submit) id mAILf5Wf015346; Tue, 18 Nov 2008 13:41:05 -0800 (PST) (envelope-from david) Date: Tue, 18 Nov 2008 13:41:05 -0800 From: David Wolfskill To: Eduardo Meyer Message-ID: <20081118214105.GL83287@bunrab.catwhisker.org> Mail-Followup-To: David Wolfskill , Eduardo Meyer , stable@freebsd.org References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="GD0jJf8rm+K0B4Sk" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i Cc: stable@freebsd.org Subject: Re: tcpdump(1) filter by date X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Nov 2008 21:41:06 -0000 --GD0jJf8rm+K0B4Sk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable [Cross-post to -questions elided, since I saw the message on -stable, and I'd like to discourage gratuitous cross-posting. dhw] On Tue, Nov 18, 2008 at 07:30:39PM -0200, Eduardo Meyer wrote: > Hello, >=20 > I have a kind big tcpdump file, which has data from the last week. I > want to dump information based on date. Can I do it without generating > a full output and later parse the headers? See the port net/tcpslice. Here's an excerpt from its man page: DESCRIPTION Tcpslice is a program for extracting portions of packet-trace fi= les generated using tcpdump(l)'s -w flag. It can also be used to me= rge together several such files, as discussed below. =2E.. There are a number of ways to specify times. The first is using U= nix timestamps of the form sssssssss.uuuuuu (this is the format specif= ied by tcpdump's -tt flag). For example, 654321098.7654 specifies 38 s= ec- onds and 765,400 microseconds after 8:51PM PDT, Sept. 25, 1990. > ... Peace, david --=20 David H. Wolfskill david@catwhisker.org Depriving a girl or boy of an opportunity for education is evil. See http://www.catwhisker.org/~david/publickey.gpg for my public key. --GD0jJf8rm+K0B4Sk Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iEYEARECAAYFAkkjNnAACgkQmprOCmdXAD1wiQCdGdBu3145Hm09q14bxjd5Wz0e d2AAn1m+ljS+GyUYKSG3wBIjnhUGcLX7 =rVbH -----END PGP SIGNATURE----- --GD0jJf8rm+K0B4Sk--