This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

filtering out specific IP’s and domains

0

I want to make a system to analyze pcap files. So far I'm using Bro (for JSON output) and the Elastic-stack for visualizing the data. This works great, but there is a lot of traffic in the pcaps from ad-servers, that I want to filter out. I've been looking at modifying bro to do the job when 'processing' pcap's. But I think it would be easier/better to remove the unwanted traffic before processing with bro, for example with tshark.

I found some lists of ad-server IP's and domains at the following urls:

https://pgl.yoyo.org/as/serverlist.php?hostformat=nohtml
https://pgl.yoyo.org/adservers/iplist.php?ipformat=plain&showintro=0&mimetype=plaintext

These list's are not complete, but they do cover many ad-servers that I want to exclude from the pcap's I want to analyze.

1) What would be a good tshark filter to remove ad-server traffic (ip and domain) and creating a new 'clean' pcap?
2) Is there a limitation to a tshark command/filter with let's say IP's and domains? Because the aforementioned lists are pretty long.
3) Can this solution of sanitizing pcap's also work on larger 30GB+ pcaps (after merging for example)

asked 04 May '17, 02:45

r00t070's gravatar image

r00t070
6437
accept rate: 0%

edited 04 May '17, 02:46