I captured a really big tcpdump file which now always crashes my wireshark. It was captured with no filters and I need to apply some afterwards to make the file smaller.
Is this somehow possible?
Filter tcpdump file AFTER capturing
filtertcpdumpwireshark
Related Solutions
You can use tcpdump itself with the -C, -r and -w options
tcpdump -r old_file -w new_files -C 10
The "-C" option specifies the size of the file to split into. Eg: In the above case new files size will be 10 million bytes each.
I hope somebody is still interested in the solution to the problem. ;) We had the same issue in our company and I started writing a script for this.
I wrote a blog post about it with the source code and a screenshot.
I've also shared it below...
And the code: (Be sure to check my site for future updates)
#!/bin/bash
#===================================================================================
#
# FILE: dump.sh
# USAGE: dump.sh [-i interface] [tcpdump-parameters]
# DESCRIPTION: tcpdump on any interface and add the prefix [Interace:xy] in front of the dump data.
# OPTIONS: same as tcpdump
# REQUIREMENTS: tcpdump, sed, ifconfig, kill, awk, grep, posix regex matching
# BUGS: ---
# FIXED: - In 1.0 The parameter -w would not work without -i parameter as multiple tcpdumps are started.
# - In 1.1 VLAN's would not be shown if a single interface was dumped.
# NOTES: ---
# - 1.2 git initial
# AUTHOR: Sebastian Haas
# COMPANY: pharma mall
# VERSION: 1.2
# CREATED: 16.09.2014
# REVISION: 22.09.2014
#
#===================================================================================
# When this exits, exit all background processes:
trap 'kill $(jobs -p) &> /dev/null && sleep 0.2 && echo ' EXIT
# Create one tcpdump output per interface and add an identifier to the beginning of each line:
if [[ $@ =~ -i[[:space:]]?[^[:space:]]+ ]]; then
tcpdump -l $@ | sed 's/^/[Interface:'"${BASH_REMATCH[0]:2}"'] /' &
else
for interface in $(ifconfig | grep '^[a-z0-9]' | awk '{print $1}')
do
tcpdump -l -i $interface -nn $@ | sed 's/^/[Interface:'"$interface"'] /' &
done
fi
# wait .. until CTRL+C
wait
Related Topic
- Tcpdump filter for tcp zero window messages
- How to parse OpenFlow packets using tcpdump capture file programmatically
- Tcpdump – how to check rate of packets
- Ssl – tcpdump Server Hello Certificate Filter
- Tcpdump maximum split file size
- How would a PCAP filter look like to capture all DHCP related traffic
- TCPDump – Redirect Generated PCAP File to Another Server While Capturing
Best Answer
Yes, it is possible. You can use the following command:
Tcpdump will read the input file, apply the filter, and then write the output file. You need just to come up with the right filter.