This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to slice 3G trace for just “tcp.port == 1234 || udp.port == 1234”

0

Title says it all. I have a few 2-3G traces of a bunch of nonsense from the past 6 months and the only packets I'm looking for would match the display filter: (tcp.port==1234) || (udp.port==1234)

Is there anyone I can slice the traces for just these packets? Using free tools of course :D

asked 23 Jun '14, 14:09

zasher's gravatar image

zasher
6224
accept rate: 0%

What exactly do you mean by "slice"? Cut the payload at a specific offset/after a specific layer?

(23 Jun '14, 15:26) Jasper ♦♦

One Answer:

0

There are a few ways to interpret your question.

If you mean "How do I create a trace file with just the packets that match that port number?", the answer would be something like this in tshark (for Windows, go to your Wireshark install directory and use tshark.exe):

tshark -r {2G_File.pcap} -R "(tcp.port==1234)||(udp.port==1234)" -w {FilteredFile.pcap}

If you mean "How do I read through the noise, as these files are too big to load in Wireshark or Tshark?", the answer (or mine, at least), would be to cut them down to fixed file size or packet count with the "editcap" utility, use the above command to pass them through a filter into 1234-only files, then merge those filtered files with the 'mergecap' utility.

So, between editcap, mergecap and tshark you should be able to work with the files to get those packets out without blowing up your memory by loading a 3G trace into Wireshark. Consult the man pages or manual for more information on all those:

Tshark: http://www.wireshark.org/docs/wsug_html_chunked/AppToolstshark.html

Editcap: http://www.wireshark.org/docs/wsug_html_chunked/AppToolseditcap.html

Mergecap: http://www.wireshark.org/docs/wsug_html_chunked/AppToolsmergecap.html

The manual index: http://www.wireshark.org/docs/wsug_html_chunked/

And finally if you mean "How do I automate a process of reading every one of those files and pulling out just these packets?", I suggest a perl script with a simple FOR loop on all those files, calling that Tshark query to read/filter/write, where you could remove the write option and just have it print to screen and leave it as a long-running script sorting through the files. Just keep in mind that would be memory intensive with tshark unless you cut the files down to size first. Also, I'd suggest "-t ad" to get the full date and time if you go with the text output method, so you can reference the exact capture file later (assuming it's timestamped) if needed.

Of my shots in the dark, I hope the answer was somewhere there. :)

answered 23 Jun '14, 20:54

Quadratic's gravatar image

Quadratic
1.9k6928
accept rate: 13%

edited 23 Jun '14, 21:01