Home IT Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ Linux, how to filter, split, and merge pcap file     - How to limit network bandwidth usage in Linux (Linux)

- Linux network monitoring tools ntopng installation (Linux)

- 64 Ubuntu 15.04 Linux kernel upgrade to Linux 4.1.0 (Linux)

- JavaScript Advanced Programming notes event capture and event bubbling (Programming)

- Python extension module Ganglia 3.1.x (Linux)

- Linux installed Cisco Packet Tracer (Linux)

- MariaDB database storage path modify configuration issues (Database)

- CentOS 5.8 (64) Python 2.7.5 installation error resolved (Linux)

- How to choose the first programming language based on the life you want (Programming)

- Use SecureCRT to transfer files between Linux and Windows (Linux)

- Install FFmpeg compiling from source in Mac OS X environment (Linux)

- Linux Getting Started tutorial: Ubuntu 14.04 in the installation Sogou Pinyin (Linux)

- Check the Linux server performance with ten or so commands in a minute (Server)

- Ease of use "Explain Shell" script to understand Shell command (Linux)

- Linux, security encryption to transfer files between machines (Linux)

- OpenGL Superb Learning Notes - GLSL language foundation (Programming)

- Windows Remote Desktop Management CentOS 6.4 (Linux)

- How to use the Linux terminal Git commands (Linux)

- Schema snapshot rollback (Database)

- MySQL separation Amoeba achieve literacy (Database)

  Linux, how to filter, split, and merge pcap file
  Add Date : 2017-04-13      
  If you are a test some network intrusion detection system or network administrator access control policy, you often need to fetch data packets and analyze these files offline. When you need to save the captured packets, we will generally stored as libpcap packet format pcap, which is a format used by many open source sniffer tools, and packet capture program widely used. If pcap file is used for off-line analysis or penetration testing, then injected into the network before they are usually first on pcap file some operations.

In this article, I will describe some of the operations pcap file tools and how to use them.

Editcap and Mergecap

Wireshark, it is the most popular GUI sniffer tool, in fact, it took a very useful command-line tools. Including editcap and mergecap. editcap pcap is a versatile editor, which can be filtered in various ways and can be split pcap file. mergecap can combine multiple files into a pcap. This article is based on these Wireshark command-line tool.

If you have already installed Wireshark, then these tools are already in your system a. If you have not installed, then we are going to install the Wireshark command-line tool. It notes that, based on the release of Debian, we can not install Wireshark GUI and installs only the command-line tools, but it is based on Red Hat and releases Wireshark you need to install the entire package.

Debian, Ubuntu or Linux Mint

$ Sudo apt-get install wireshark-common
Fedora, CentOS or RHEL

$ Sudo yum install wireshark
When the installation is a good tool, you can start using the editca and mergecap.

pcap file filter

By editcap, we can be a lot of different rules to filter pcap file content, and to filter the results saved to a new file.

First, the "start-stop time" filter pcap file. "- A < start-time> and" - B < end-time> option can be filtered out at this time arriving packets (eg, from 2:30 - 2:35). The time format is "YYYY-MM-DD HH: MM: SS".

$ Editcap -A '2014-12-10 10: 11: 01'-B' 2014-12-10 10:21:01 'input.pcap output.pcap
You can also extract specified N packets from a file. The following command line to extract 100 package from input.pcap file (from 401-500) and save them to output.pcap in:

$ Editcap input.pcap output.pcap 401-500
Using the "-D < dup-window>" (dup-window can be seen as window size contrast, only the package within this range comparison) option can be extracted duplicate packets. Each package with its turn before < dup-window> -1 packet length and MD5 comparison value, if there is a match are discarded.

$ Editcap -D 10 input.pcap output.pcap
Traversing the 37568 packages in the window 10 is only one duplicate packets, and discarded.

Also can be defined as the time interval. Use "-w " option, compared to within reach package.

$ Editcap -w 0.5 input.pcap output.pcap
Searched 50,000 package to 0.5s as a duplicate window is not found, repeat the pack.

Split pcap file

When you need to split a big pcap file into multiple small files, editcap can also play a significant role.

Split a pcap file into the same number of packets of multiple files

$ Editcap -c < packets-per-file> < input-pcap-file> < output-prefix>
Each output file has the same number of packets to < output-prefix> -NNNN form name.

In the interval split pcap file

$ Editcap -i < seconds-per-file> < input-pcap-file> < output-prefix>
Merge pcap file

If you want to merge multiple files into one, with mergecap very convenient.

When merging multiple files, mergecap default packet to the internal time has come to order.

$ Mergecap -w output.pcap input.pcap input2.pcap [input3.pcap ...]
If you want to ignore the timestamp, just want the command line in order to merge the file, use the -a option.

For example, the following command will input.pcap content file written to output.pcap, and additional content input2.pcap later.

$ Mergecap -a -w output.pcap input.pcap input2.pcap
to sum up

In this guide, I showed an example of a plurality of editcap, mergecap operation pcap file. In addition, there are other tools, such as reordercap for packet reordering, text2pcap for pcap files into text format, pcap-diff to compare similarities and differences pcap files, and so on. When network intrusion testing, and solve network problems, these tools and packet injection tool is very practical, so it is best to understand them.

Are you used pcap tool? If used, you use what it has done to it?
- FileZilla install on Ubuntu 14.10 (Linux)
- Linux account related documents Interpretation (Linux)
- Log analysis is done with Grafana Elasticsearch (Server)
- Linux cd command Detailed (Linux)
- How to use Java to read OpenOffice document (Programming)
- To install Ganglia (Linux)
- DM9000 bare Driver Design (Programming)
- How to Start a Linux application running in the background using the terminal mode (Linux)
- VMware Workstation virtual machine startup error: Could not open / dev / vmmon in CentOS 6 (Linux)
- Nginx configuration support f4v video format player (Server)
- CentOS minimal network is unavailable resolved (Linux)
- Python MySQL database connection (Database)
- Do you know how to build the Linux kernel (Programming)
- ImageMagick Tutorial: How to cut images in Linux command line (Linux)
- Java implementation linear table - represents the order of representation and chain (Programming)
- Linux command to view the system status (Linux)
- CentOS installed JDK8 (Linux)
- CentOS yum configuration under local sources (Linux)
- Linux firewall rules example Extracts (Linux)
- Linux system security Comments (Linux)
  CopyRight 2002-2016 newfreesoft.com, All Rights Reserved.