Shulou(Shulou.com)06/01 Report--

Today, the editor will share with you the relevant knowledge points about how to use pcap files under Linux. The content is detailed and the logic is clear. I believe most people still know too much about this knowledge, so share this article for your reference. I hope you can get something after reading this article.

Pcap file is a commonly used Datagram storage format, which can be understood as a file format, but the data in it is stored in a specific format, so if we want to parse the data in it, we must also follow a certain format.

Editcap and Mergecap

Wireshark, the most popular GUI sniffing tool, actually comes with a very useful set of command-line tools. These include editcap and mergecap. Editcap is a versatile pcap editor that can filter and split pcap files in a variety of ways. Mergecap can merge multiple pcap files into one. This article is based on these Wireshark command line tools.

If you have already installed Wireshark, these tools are already on your system. If it's not already installed, then we'll install the Wireshark command line tool next. It is important to note that on Debian-based distributions we can install only command-line tools without installing Wireshark GUI, but we need to install the entire Wireshark package in Red Hat and its-based distributions. Debian, Ubuntu or Linux Mint

$sudo apt-get install wireshark-common

Fedora, CentOS or RHEL

$sudo yum install wireshark

Once the tools are installed, you can start using editca and mergecap.

Pcap file filtering

With editcap, we can filter the contents of the pcap file with many different rules and save the filter results to the new file.

First, filter the pcap file with "start and end time". The "- A" and "- B" options filter out packets that arrive during this period (for example, from 2:30 to 2:35). The format of time is "YYYY-MM-DD HH:MM:SS".

$editcap-A '2014-12-10 10 11purl 01'-B' 2014-12-10 Vuitton 21V 01' input.pcap output.pcap

You can also extract specified N packages from a file. The following command line extracts 100 packages (from 401 to 500) from the input.pcap file and saves them to output.pcap:

$editcap input.pcap output.pcap 401500

Duplicate packages can be extracted using the "- D" option (dup-window can be seen as the window size of the comparison, comparing only with packages within this range). Each packet in turn compares the length and MD5 value with the-1 packet before it, and if there is a match, it is discarded.

$editcap-D 10 input.pcap output.pcap

It can also be defined as an interval. Use the "- w" option to compare packets that arrive within time.

$editcap-w 0.5 input.pcap output.pcap

Split pcap files

Editcap can also play a big role when you need to split a large pcap file into multiple small files. Split a pcap file into multiple files with the same number of packets

$editcap-c (packets-per- [file]) (input-pcap- [file]) (output-prefix)

Each file output has the same number of packages, named in the form of-NNNN. Split pcap files at time intervals

$editcap-I (seconds-per- [file]) (input-pcap- [file]) (output-prefix)

Merge pcap files

Mergecap is convenient if you want to merge multiple files into one. When merging multiple files, mergecap by default sorts the internal packets in chronological order.

$mergecap-w output.pcap input.pcap input2.pcap [input3.pcap. . .]

If you want to ignore the timestamp and just want to merge the files in the order on the command line, use the-an option. For example, the following command writes the contents of the input.pcap file to output.pcap and appends the contents of input2.pcap to the end.

The above $mergecap-a-w output.pcap input.pcap input2.pcap is all the contents of this article entitled "how to use pcap files under Linux". Thank you for reading! I believe you will gain a lot after reading this article. The editor will update different knowledge for you every day. If you want to learn more knowledge, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.