Discussion:
Reading multiple files in tcpdump
Rayne
2009-03-04 03:01:48 UTC
Permalink
Hi all,

I have multiple trace files all beginning with the prefix "trace1_" and I would like to read all these files, apply a filter on them and write the filtered packets into another pcap file.

I've tried both reading from trace1* and listing all the filenames after the -r option, but I keep getting syntax error.

Can I read multiple files in tcpdump and if so, how?

Thank you.
Stephen Fisher
2009-03-04 03:13:55 UTC
Permalink
Post by Rayne
I have multiple trace files all beginning with the prefix "trace1_"
and I would like to read all these files, apply a filter on them and
write the filtered packets into another pcap file.
I've tried both reading from trace1* and listing all the filenames
after the -r option, but I keep getting syntax error.
Can I read multiple files in tcpdump and if so, how?
I don't know about tcpdump, but with Wireshark you can use the included
CLI command mergecap to put the files together and then read it in.


Steve

___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
Guy Harris
2009-03-04 03:29:55 UTC
Permalink
Post by Rayne
I have multiple trace files all beginning with the prefix "trace1_"
and I would like to read all these files, apply a filter on them and
write the filtered packets into another pcap file.
I've tried both reading from trace1* and listing all the filenames
after the -r option, but I keep getting syntax error.
That's because you can give only one argument to the "-r" flag (or any
flag that takes an argument - and that's the case for most, if not
all, command-line flags on UN*X).
Post by Rayne
Can I read multiple files in tcpdump
No. tcpdump will read only one file.

I assume your goal is to combine all the packets from all the traces,
and write out a subset of those packets, selected by a filter, to
another file. If so, you could, as Stephen Fisher said, use mergecap
to combine them into a file and then read the file with tcpdump and
have it write the filtered packets to another file. It might also be
possible to pipe mergecap's output to its standard output, and pipe it
to a tcpdump that you've told to read from its standard input, and
avoid the intermediate file.
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
Alex Lindberg
2009-03-04 22:49:11 UTC
Permalink
Here is a Linux script I use for this very purpose.  As an example, if you wish to see all packets on udp.port == 1719 and save the output to a file UDP1719.cap then do:

MergePackets.sh "MyFiles*" "udp.port == 1719" UDP1719.cap

~/bin$ cat MergePackets.sh
#!/bin/sh

if [ "$2x" = "x" ];
        then
        echo "$0 <Path> <DisplayFilter> [<OutputFile>]"
        echo " "
        echo "The purpose of this script is to take all capture files in a directory"
        echo "and create a  single file that is filtered based on the input string."
        echo " "
        echo "This string could be an IP address, \"ip.addr == 1.1.1.1\""
        echo "or a port nunmber \"tcp.port == 1720\", etc."
        echo " "
        echo "The input must be in a display filter format."
        echo " "
        echo "If you are using a wildcard in the <Path>, please inclose with \" \" marks"
        echo " "
        echo "If OutputFile is not specified, the output will be to stdout"
        echo " "
        echo "********************** NOTICE ******************************"
        echo "This script will run under LINUX only:"
        echo "With proper changes this script could run on a windows PC."
        echo "If you do so, do with care!!!"
        exit 1
fi

# Wireshark or Ethereal
SHARK=tshark
#SHARK=tethereal

# Create file list
FILELIST=`ls $1`
TEMPDIR=/tmp/foobar
mkdir $TEMPDIR
i=1
for I in $FILELIST;
        do
        echo "$i $I $2"
        $SHARK -r $I -w $TEMPDIR/~$I-$i -R "$2" &>/dev/null
        i=`echo $i+1|bc`
        done

if [ "$3x" = "x" ];
        then
        # if here use stdout
        OUTFILE="-"
        else
        OUTFILE=$3
        fi

mergecap -w $OUTFILE $TEMPDIR/~*
rm -r $TEMPDIR

Enjoy.  Your mileage may very.
Alex Lindberg

--- On Tue, 3/3/09, Guy Harris <guy-FrUbXkNCsVf2fBVCVOL8/***@public.gmane.org> wrote:
From: Guy Harris <guy-FrUbXkNCsVf2fBVCVOL8/***@public.gmane.org>
Subject: Re: [Wireshark-users] Reading multiple files in tcpdump
To: hjazz6-***@public.gmane.org, "Community support list for Wireshark" <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Date: Tuesday, March 3, 2009, 9:29 PM
Post by Rayne
I have multiple trace files all beginning with the prefix
"trace1_"
Post by Rayne
and I would like to read all these files, apply a filter on them and
write the filtered packets into another pcap file.
I've tried both reading from trace1* and listing all the filenames
after the -r option, but I keep getting syntax error.
That's because you can give only one argument to the "-r" flag
(or any
flag that takes an argument - and that's the case for most, if not
all, command-line flags on UN*X).
Post by Rayne
Can I read multiple files in tcpdump
No. tcpdump will read only one file.

I assume your goal is to combine all the packets from all the traces,
and write out a subset of those packets, selected by a filter, to
another file. If so, you could, as Stephen Fisher said, use mergecap
to combine them into a file and then read the file with tcpdump and
have it write the filtered packets to another file. It might also be
possible to pipe mergecap's output to its standard output, and pipe it
to a tcpdump that you've told to read from its standard input, and
avoid the intermediate file.
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
Guy Harris
2009-03-04 23:15:12 UTC
Permalink
Post by Alex Lindberg
echo "This script will run under LINUX only:"
Well, I guess my system must be Linux, as it ran the script.

I do have one question, though - anybody know what Linux distribution
has a kernel that calls itself "Darwin" rather than "Linux"?

$ uname -s
Darwin

:-)

(It'll probably even run on UN*Xes where /bin/sh *isn't* Bash if you
replace "&>/dev/null" with ">/dev/null 2>&1". Maybe it'll run on
Windows with Cygwin, too - possibly even without that change, as I
think the sh in Cygwin is Bash....)
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
Bland Chuck-CNGR85
2009-03-06 20:28:38 UTC
Permalink
In an Advanced IO Graph, I have set the filter to tcp.len>0 to give me
packets that have data. Now, I want to display how many in each time
period made it through that filter. I presume I use a COUNT(*) graph,
but what variable do I use?

Chuck Bland
ronnie sahlberg
2009-03-06 20:44:20 UTC
Permalink
If you want to count how many packets there were just specify "tcp" (or any
field really would work) and it will count how many frames there are
containing tcp.

If you want to count how many bytes were carried inside tcp use SUM(tcp.len)
since this will add toghether all tcp.len fields it finds.
Post by Bland Chuck-CNGR85
In an Advanced IO Graph, I have set the filter to tcp.len>0 to give me
packets that have data. Now, I want to display how many in each time period
made it through that filter. I presume I use a COUNT(*) graph, but what
variable do I use?
Chuck Bland
___________________________________________________________________________
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
?subject=unsubscribe
Bland Chuck-CNGR85
2009-03-06 21:22:09 UTC
Permalink
Ronnie,

The filter is tcp.len>0 and tcp.dstport==4176 and the COUNT(*) variable
is "tcp".

The graph is a flat line at 0.

If I apply the filter as a display filter, I get lots of packets
displayed, so I know the count isn't really zero.

What did I miss?

Chuck

________________________________

From: wireshark-users-bounces-IZ8446WsY0/***@public.gmane.org
[mailto:wireshark-users-bounces-IZ8446WsY0/***@public.gmane.org] On Behalf Of ronnie
sahlberg
Sent: Friday, March 06, 2009 12:44 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Advanced Graph COunting


If you want to count how many packets there were just specify "tcp" (or
any field really would work) and it will count how many frames there are
containing tcp.

If you want to count how many bytes were carried inside tcp use
SUM(tcp.len) since this will add toghether all tcp.len fields it finds.





On Sat, Mar 7, 2009 at 7:28 AM, Bland Chuck-CNGR85
<Chuck.Bland-3WKxDLwmzFNWk0Htik3J/***@public.gmane.org> wrote:


In an Advanced IO Graph, I have set the filter to tcp.len>0 to
give me packets that have data. Now, I want to display how many in each
time period made it through that filter. I presume I use a COUNT(*)
graph, but what variable do I use?

Chuck Bland



________________________________________________________________________
___
Sent via: Wireshark-users mailing list
<wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe:
https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
Sake Blok
2009-03-06 21:35:38 UTC
Permalink
The fieldname that you are counting should be part of the filter string. So either you can count tcp.len or you can change the filter to "tcp and tcp.len>0 and tcp.dstport==4176"

Hope this helps,
Cheers,
Sake
----- Original Message -----
From: Bland Chuck-CNGR85
To: Community support list for Wireshark
Sent: Friday, March 06, 2009 10:22 PM
Subject: Re: [Wireshark-users] Advanced Graph COunting


Ronnie,

The filter is tcp.len>0 and tcp.dstport==4176 and the COUNT(*) variable is "tcp".

The graph is a flat line at 0.

If I apply the filter as a display filter, I get lots of packets displayed, so I know the count isn't really zero.

What did I miss?

Chuck



------------------------------------------------------------------------------
From: wireshark-users-bounces-IZ8446WsY0/***@public.gmane.org [mailto:wireshark-users-bounces-IZ8446WsY0/***@public.gmane.org] On Behalf Of ronnie sahlberg
Sent: Friday, March 06, 2009 12:44 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Advanced Graph COunting


If you want to count how many packets there were just specify "tcp" (or any field really would work) and it will count how many frames there are containing tcp.

If you want to count how many bytes were carried inside tcp use SUM(tcp.len) since this will add toghether all tcp.len fields it finds.





On Sat, Mar 7, 2009 at 7:28 AM, Bland Chuck-CNGR85 <Chuck.Bland-3WKxDLwmzFNWk0Htik3J/***@public.gmane.org> wrote:

In an Advanced IO Graph, I have set the filter to tcp.len>0 to give me packets that have data. Now, I want to display how many in each time period made it through that filter. I presume I use a COUNT(*) graph, but what variable do I use?

Chuck Bland


___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
Bland Chuck-CNGR85
2009-03-06 22:07:10 UTC
Permalink
ah! Got it.

Thanks!

________________________________

From: wireshark-users-bounces-IZ8446WsY0/***@public.gmane.org
[mailto:wireshark-users-bounces-IZ8446WsY0/***@public.gmane.org] On Behalf Of Sake Blok
Sent: Friday, March 06, 2009 13:36 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Advanced Graph COunting


The fieldname that you are counting should be part of the filter string.
So either you can count tcp.len or you can change the filter to "tcp and
tcp.len>0 and tcp.dstport==4176"

Hope this helps,
Cheers,
Sake

----- Original Message -----
From: Bland Chuck-CNGR85 <mailto:Chuck.Bland-3WKxDLwmzFNWk0Htik3J/***@public.gmane.org>
To: Community support list for Wireshark
<mailto:wireshark-users-IZ8446WsY0/***@public.gmane.org>
Sent: Friday, March 06, 2009 10:22 PM
Subject: Re: [Wireshark-users] Advanced Graph COunting

Ronnie,

The filter is tcp.len>0 and tcp.dstport==4176 and the COUNT(*)
variable is "tcp".

The graph is a flat line at 0.

If I apply the filter as a display filter, I get lots of packets
displayed, so I know the count isn't really zero.

What did I miss?

Chuck

________________________________

From: wireshark-users-bounces-IZ8446WsY0/***@public.gmane.org
[mailto:wireshark-users-bounces-IZ8446WsY0/***@public.gmane.org] On Behalf Of ronnie
sahlberg
Sent: Friday, March 06, 2009 12:44 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Advanced Graph COunting


If you want to count how many packets there were just specify
"tcp" (or any field really would work) and it will count how many frames
there are containing tcp.

If you want to count how many bytes were carried inside tcp use
SUM(tcp.len) since this will add toghether all tcp.len fields it finds.





On Sat, Mar 7, 2009 at 7:28 AM, Bland Chuck-CNGR85
<Chuck.Bland-3WKxDLwmzFNWk0Htik3J/***@public.gmane.org> wrote:


In an Advanced IO Graph, I have set the filter to
tcp.len>0 to give me packets that have data. Now, I want to display how
many in each time period made it through that filter. I presume I use a
COUNT(*) graph, but what variable do I use?

Chuck Bland



________________________________________________________________________
___
Sent via: Wireshark-users mailing list
<wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives:
http://www.wireshark.org/lists/wireshark-users
Unsubscribe:
https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe




________________________________





________________________________________________________________________
___
Sent via: Wireshark-users mailing list
<wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe:
https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
Continue reading on narkive:
Search results for 'Reading multiple files in tcpdump' (Questions and Answers)
7
replies
Network Managment Software?
started 2014-03-21 07:00:48 UTC
computer networking
Loading...