On a production system, I'm using "dumpcap -i any -b ..." to capture all network traffic on the machine and write it to a rotating set of files, so I have a set of files containing all of the network traffic for the previous few hours.
I need to know how to read one or more of these files, filter out specific types of traffic (based on client IP address), and write the matching packets to a new pcap file which contains only the matching packets.
The closest I have so far is this:
mergecap -w- live*.pcap | tshark -i- -R 'ip.addr==220.127.116.11' -w 18.104.22.168.pcap
What I have found is that, without the "-w" option, the output (lines of text describing each packet) contains only the selected packets. However, with the "-w" option, the output contains every packet from the input, whether it matches the filter or not.
How can I get just the packets which match a specific filter?
asked 02 Oct '12, 12:47
The problem is the CentOS 6 "base" yum repository, which is hideously out of date. It contains wireshark version 1.0.15.
I just tried it with wireshark 1.8.3, and the following command line works:
mergecap -a -F libpcap -w- live*.pcap | tshark -r- -R 'ip.addr==22.214.171.124' -w 126.96.36.199.pcap
Note that I also tried it with 1.8.2 on a laptop where wireshark had been installed previously, the same command fails with this error message:
tshark: The file "-" could not be opened: Illegal seek.
answered 02 Oct '12, 20:06