Is it possible to capture only the first 10k of data in a TCP flow and discard the rest at capture time? I have a large number of TCP sessions where each session starts with some metadata and then proceeds with an enormous binary dump. I suspect an occasional problem in the metadata portion of the flow and want to capture it for study, but don't have enough resources to keep all of the bulk data segments around.
How would you set up such a capture?
I've found filters for segment length and total reassembled length, but the former is effectively just packet size and the latter doesn't increment each time the window is updated, it's calculated once for the entire flow. Maybe there is a way to do the math for the sequence numbers? I don't know how to do that in a capture filter though, not even in Wireshark's more powerful display filters. Maybe there is a better tool? I'm working on a Linux machine.
Best Answer
Wireshark and other capture tools are not aware of TCP streams during capture. They would have to save tcp stream state in memory to do that which would reduce troughput.
That being said there might be a way. If your packets have metadata there might be some sort of identifier (header, string, etc.) that is in all the packets with metadata? If so you could filter these with
iptablesand feed them to a NFLOG target which can be captured withdumpcap, a tool that is shipped with wireshark.For example, if all your metadata packets have a "X-Metadata" string in them, and you capture them on
eth0you could do:This will save all packets with "X-Metadata" in them in the
test.pcapfile. Mind you, if there is some other way to identify packets with metadata,iptablesmight be able to do that. There are many filters/extensions.