?

Log in

No account? Create an account
pcap question - brad's life — LiveJournal [entries|archive|friends|userinfo]
Brad Fitzpatrick

[ website | bradfitz.com ]
[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

pcap question [Oct. 21st, 2004|12:30 pm]
Brad Fitzpatrick
I have a 76 MB tcpdump capture file.

Any way I can easily dump the first 100-200k of each TCP connection as a text file into a directory? And showing both directions as ethereal's "Follow TCP stream" does, though I don't need color coding.

I just want to run a (large) regexp against all the flows and pick out certain ones.

Surely this has been done before, so what should I use?
LinkReply

Comments:
(Deleted comment)
[User Picture]From: bitwise
2004-10-21 12:45 pm (UTC)
the tool "tcpflow" might be of assistance. I think it's close to what you want, but I think it's tricky to understand the timing of a back-and-forth conversation: one end is dumped into one file, the other end is dumped into another file. Maybe it has other modes of operation, though, or you can beat it into the shape you need.
(Reply) (Thread)
[User Picture]From: brad
2004-10-21 12:47 pm (UTC)
Each side as different files should work too. Thanks!
(Reply) (Parent) (Thread)
From: (Anonymous)
2004-10-21 10:09 pm (UTC)

replay + flow

Tcpflow won't read the pcap file directly iirc. You can use tcpreplay to read the pcap file, and tcpflow to reconstruct the TCP sessions.
(Reply) (Parent) (Thread)
[User Picture]From: jope
2004-10-23 01:21 pm (UTC)
Yeah, the TCP reassembly is the tricky part. As bitwise noted, tcpflow can do that. The part in its docs that it "never frees state associated with flows that it records, so will grow large if used to capture a very large number of flows" is a nasty gotcha though.

You could maybe rig something with Net::LibNIDS, since it does stream reconstruction. Primary problem, unless I'm misreading its docs, is that it appears to only support live captures, not canned pcap files.
(Reply) (Thread)