I have a capture of aroung 70 files created with a ring buffer and want to easily find which files have information that I am looking for, in this instance I would like to filter them on NFSv3 "setattr" calls. I would like a better way than opening every file and running a filter on it.
You could script something with tshark to find the files of interest and then use Wireshark to analyze those files? I don't know which platform you're using but here's a basic shell script that might be of use to you:
#!/bin/sh
for f in `ls -1 *.pcapng`; do
echo $f
tshark -2 -r $f -Y "nfs.fsinfo.properties.setattr" -T fields -e frame.number -e nfs.fsinfo.properties.setattr
done
This will print the name of each file, but only those files with packets containing the given field will have additinal rows of frame numbers and setattr values printed after them. (This also assumes your files are pcapng files. Change the extension to pcap, cap or whatever file extension is applicable for you.)
If there are too many matching frames, then you might want to simplify the output by piping it to wc to only count lines, for example:
#!/bin/sh
for f in `ls -1 *.pcapng`; do
echo $f
tshark -2 -r $f -Y "nfs.fsinfo.properties.setattr" -T fields -e frame.number | wc -l
done
Any files with a matching field will have a number other than 0 printed, and that number will be the number of matching occurrences of the field.
Comments