Hello colleagues. I've setup dumpcap with ring buffer options and now i have around 20 files and 2Gb in total. I know how I can merge all files into 1, but it's too heavy to work with 2Gb file using filters and so on. I know, that from many packets in those files I need only specific tcp.stream. My question is, how can i get file with one tcp.stream only?
Thank you.
Chris Greer did an interview/video where at the end he covered how he filters and merges a ton of data. Skip to the 1 hour mark for that section specifically.
Thank you, I spend time to watch that clip, very interesting.
If you know the stream you want:
C:\>mergecap -w - *018152* | tshark -r - -w 231019_stream_2.pcapng tcp.stream==2
Or you could write a script to build a file per tcp.stream:
#!/bin/bash
for TCP_STREAM in `mergecap.exe -w - *018152* | tshark.exe -r - -T fields -e tcp.stream -Y tcp.stream | sort -n | uniq`
do
TCP_STREAM=`echo $TCP_STREAM | tr -d "\r\n"`
OUTFILE="211019_stream_${TCP_STREAM}.pcapng"
mergecap.exe -w - *018152* | tshark.exe -r - -w ${OUTFILE} tcp.stream==${TCP_STREAM}
done
Thank you so much for your answer, this really help me a lot.
Comments