I am trying to write a script that will remove duplicate packets (layer 3 and above) by comparing the data in two consecutive packets (or along a sliding window) and if they are identical, it will throw out the duplicates. The packets are not 100% duplicates since the MACs and TTLs are different, but from layer 3 and above they are identical. Therefore, editcap -d won't work, as it requires the MD5 hash to be the same.
The way I would like to do this is to output the data like this:
Then I can use a script to check the data for duplicates and use the timestamp at the beginning of the packet to read it back into a pcap file.
The command below summarizes what I have so far. What I need is the
Please note that the -t argument to text2pcap didn't actually work for me. I had to reformat the time a little before it worked. Also, I realize that the packets aren't 100% identical, since the layer 2 information is changed with different MAC's and TTL's. But I want to look only at layer 3 and above for my filtering.
Thanks for any help you can provide!
asked 12 Mar '13, 08:08
edited 12 Mar '13, 09:03
Does editcap with the -d option (along with the -D and -w options that set the frame window and time window for dups respectively) not meet your needs? Editcap should be installed along with Wireshark.
answered 12 Mar '13, 08:13