|
Hello, I want to filter only the SYN packets from TCP SYN scan (both for open ports(SYN->SYN/ACK->RST) and closed ports(SYN->RST/ACK)) from a pcap file. I have written a following script to do the same and it seems working for me. for stream in `tshark -nr capture.pcap -Y "(ip.dst==192.68.167.00/24 && tcp.seq==1 && tcp.flags.reset==1 && tcp.flags.ack==0)||(tcp.flags.reset==1 && tcp.flags.ack==1 && tcp.ack==1)" -T fields -e tcp.stream | sort -n | uniq` do tshark -r capture.pcap -w ./portscans/stream_$stream.pcap -Y "ip.dst==192.68.167.00/24 && tcp.seq==0 && tcp.flags.syn==1 && tcp.flags.ack==0 && tcp.stream eq $stream" done But the above script is taking hell out of time to run it.. It is taking more than a day to filter out packets from a 150MB pcap file. Can someone suggest me any other method to do the same(with tshark or snort)? |
This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.
Follow this question
By Email:Once you sign in you will be able to subscribe for any updates here
By RSS:Markdown Basics
- *italic* or _italic_
- **bold** or __bold__
- link:[text](http://url.com/ "title")
- image?
- numbered list: 1. Foo 2. Bar
- to add a line break simply add two spaces to where you would like the new line to be.
- basic HTML tags are also supported
You have a trillion packets.
You need to see four of them.
Riverbed Technology lets you seamlessly move between packets and flows for comprehensive monitoring, analysis and troubleshooting.
Riverbed is Wireshark's primary sponsor and provides our funding.
Question tags:
question asked: 17 Feb '17, 04:35
question was seen: 1,756 times
last updated: 17 Feb '17, 08:17
Related questions
powered by OSQA
