First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Why did file size become bigger after applying filtering on tshark?

Hello all,

I have a large pcap file that is ~ 5.16GB and I would like to reduce it to a smaller size by filtering out a list of ip addresses. I used the following command on tshark:

   C:\Program Files\Wireshark>tshark -r C:\Users\-\Desktop\Botnet-Training.pcap -Y "not(ip.addr==147.32.84.150 or ip.addr==147.32.84.140 or ip.addr==147.32.84.130 or ip.addr==147.32.84.160 or ip.addr==10.0.2.15 or ip.addr==192.168.106.141 or ip.addr==192.168.106.131 or ip.addr==172.16.253.130 or ip.addr==172.16.253.131 or ip.addr==172.16.253.129 or ip.addr==172.16.253.240 or ip.addr==74.78.117.238 or ip.addr==158.65.110.24 or ip.addr==192.168.3.35 or ip.addr==192.168.3.25 or ip.addr==192.168.3.65 or ip.addr==172.29.0.116 or ip.addr==172.29.0.109 or ip.addr==172.16.253.132 or ip.addr==192.168.248.165 or ip.addr==10.37.130.4)" -w C:\Users\-\Desktop\FYP\reduced.pcap

However, I got a file size of ~5.22GB instead.

Any suggestions on why?

Thank you very much

yyl05's avatar
1
yyl05
asked 2018-04-07 05:30:32 +0000
edit flag offensive 0 remove flag close merge delete

Comments

What is printed if, in the Wireshark directory, you run

capinfos C:\Users\-\Desktop\Botnet-Training.pcap C:\Users\-\Desktop\FYP\reduced.pcap
Guy Harris's avatar Guy Harris (2018-04-07 05:51:38 +0000) edit
more
  • delete

Hello Guy Harris,

I got the following:

File name:         C:\Users\-\Desktop\Botnet-Training.pcap
File type:           Wireshark/tcpdump/... - pcap
File encapsulation:  Ethernet
File timestamp precision:  microseconds (6)
Packet size limit:   file hdr: 65535 bytes
Number of packets:   9388 k
File size:           5265 MB
Data size:           5115 MB
Capture duration:    121897416.419076 sec
First packet time:   2007-10-08 21:21:55.749708
Last packet time:    2011-08-19 17:45:32.168784
Data byte rate:      41 bytes/s
Data bit rate:       335 bits/s
Average packet size: 544.84 bytes
Average packet rate: 0 packets/s
SHA1:                7f23d8ed9bf098280298cc931e7f8f8b1b9b1f01
RIPEMD160:           e2d13c8f22440588c9723bec7729dca77ef73e09
MD5:                 0ea0131714c2b7dbdba4fd214f129fc7
Strict time order:   False
Number of interfaces in file: 1
Interface #0 info:
                     Encapsulation = Ethernet (1 - ether)
                     Capture length = 65535
                     Time precision = microseconds (6)
                     Time ticks per second = 1000000
                     Number of stat entries = 0
                     Number of packets = 9388270

File name:           C:\Users\-\Desktop\FYP\reduced.pcap
File type:           Wireshark/... - pcapng
File encapsulation ...
(more)
yyl05's avatar yyl05 (2018-04-07 06:31:00 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

You started off with a PCAP format file and ended up with a PCAPNG format file. So even though the amount of frames is probably reduced, the file format itself is more 'bloated', so the file size reduction is negated.

Try adding the -F pcap option to the command line to force the output format to match the input format, and see what happens.

Jaap's avatar
13.7k
Jaap
answered 2018-04-07 11:33:53 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Yeap that solves it, thanks a bunch!

yyl05's avatar yyl05 (2018-04-07 17:20:31 +0000) edit
more
  • delete

The number of frames was reduced, as per the capinfos output above, but it wasn't reduced by much - 9388270 packets to 9342486 packets - so the additional size of each frame record in pcapng outweighed the reduced number of records.

Guy Harris's avatar Guy Harris (2018-04-07 17:50:26 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer