Hello, I want to filter only the SYN packets from TCP SYN scan (both for open ports(SYN->SYN/ACK->RST) and closed ports(SYN->RST/ACK)) from a pcap file. I have written a following script to do the same and it seems working for me. for stream in `tshark -nr capture.pcap -Y "(ip.dst==192.68.167.00/24 && tcp.seq==1 && tcp.flags.reset==1 && tcp.flags.ack==0)||(tcp.flags.reset==1 && tcp.flags.ack==1 && tcp.ack==1)" -T fields -e tcp.stream | sort -n | uniq` do tshark -r capture.pcap -w ./portscans/stream_$stream.pcap -Y "ip.dst==192.68.167.00/24 && tcp.seq==0 && tcp.flags.syn==1 && tcp.flags.ack==0 && tcp.stream eq $stream" done But the above script is taking hell out of time to run it.. It is taking more than a day to filter out packets from a 150MB pcap file. Can someone suggest me any other method to do the same(with tshark or snort)? |