Hi I'm trying to baseline SYN rates on our network. I have a 145GB pcap and I'm trying to use tshark to extract them.
tshark -Y tcp==02 -r "reallybigpcap.cap" -w syns.pcap
This eventually fails with an failed to allocate memory error. I think it's trying to load the whole file into ram and fails.
Can anyone suggest another tool that can do what I want ?
asked 17 Mar '15, 07:30
You might first try truncating the file to only the first 66 bytes (IPv4) to limit the amount of additional protocol decoding that tshark needs to do. Use editcap to create a new file.
This will only grab the bytes up through the IPv4 header in each packet. Then, re-try your tshark command with the "newsmallercap.cap" file. Tshark will still use up memory, but hopefully less than before.
If there's a better way, please let me know too!
answered 17 Mar '15, 11:08
You can use tcpdump or windump for this purpose as it does not keep (as much) state (as tshark). If the file is still too big to process, you can use editcap to split it into chunks and then process each chunk and then merge the filtered parts back to one file with mergecap.
Editcap and mergecap came with wireshark and tcpdump/windump are separate programs.
answered 17 Mar '15, 12:05