This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Create another PCAP of a specific IP from a large PCAP

0

Hi,

Actually, am caught up in a flux and was looking for some help.

I have a 1 GB file with data from multiple IP's. I use ngrp to find a particular keyword in the file and then find the source IP and destination IP of that packet where the keyword was present. I then used tshark and the found IP's to create another PCAP from the large PCAP of packets of only the communication between those two IP's. However, when I run my Python script to decode the created PCAP file, it does not give any results. While the same script on the original PCAP gives results. I have tried multiple options but nothing seems to give me the right results. Can you suggest a method to help me with this problem? Would be really grateful

Best regards,

asked 24 Mar '11, 07:28

John%20Major's gravatar image

John Major
6113
accept rate: 0%

I guess you used tshark like this:

tshark -r 1gb-file.pcap -R "ip.addr == 1.2.3.4 and ip.addr == 2.3.4.5" -w just-2-stations.pcap

(24 Mar '11, 09:50) packethunter

2 Answers:

3

I guess your filter is the problem:

Actually I used a little different version of this. I user "ip.src == 1.2.3.4 and ip.dest == 2.3.4.5" or "ip.src == 2.3.4.5" and "ip.dest == 1.2.3.4"

If you do it like that you will probably get zero packets, resulting in an empty file (well, it'll have 24 bytes for pcap file headers, but not a single frame). The reason for it is in the way Wireshark prefers "and" and "or" statements when there are no brackets to prioritize - I'm not 100% sure but I think the way Wireshark parsed your statement is like this:

ip.src == 1.2.3.4 and (ip.dest == 2.3.4.5 or ip.src == 2.3.4.5) and ip.dest == 1.2.3.4

That way you ended up with the filter requesting both IP source and destination to be the same IP, which of course never matched. You need to either use packethunter's syntax for filtering, or put brackets around the "and" blocks like this:

(ip.src == 1.2.3.4 and ip.dest == 2.3.4.5) or (ip.src == 2.3.4.5 and ip.dest == 1.2.3.4)

Things for you to do:

  1. load your 1GB with Wireshark, stop the loading process when you're pretty sure there is at least one packet of the communication loaded but before Wireshark runs into an out of memory situation.
  2. If you can't do that build your filter with existing, substituted IP addresses and change them back for the real filtering later.
  3. Test your display filter to give you the results you want for the complete file. If you know that there is at least one packet that should be displayed but isn't you got your display filter syntax wrong.
  4. Use tshark with the working filter
  5. Check the file size: if it is only 24 bytes you created another "empty" pcap file with zero packets, meaning your filter didn't match anything (and your python script won't find anything)
  6. Run your python script.

P.S: next time just comment your question again to bring it back up to anyone's attention if you're wondering why there is no further answer. Trying to email me for private help isn't the exact idea of this Q&A forum - others might be interested in the answers, too ;-)

answered 27 Mar '11, 03:43

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

0

Actually I used a little different version of this. I user "ip.src == 1.2.3.4 and ip.dest == 2.3.4.5" or "ip.src == 2.3.4.5" and "ip.dest == 1.2.3.4"

This way I was trying to capture the entire communication between only two IP's from a host of IP's. Yet, the formed PCAP has some segmentation fault or tcp pur of sequence or malformed packet error. As a result I cant decode it.

answered 24 Mar '11, 23:45

John%20Major's gravatar image

John Major
6113
accept rate: 0%