Is there something that can break up tcpdump file after the captuure and make sure the breaks are on the border of packet data?
Like -C but after the fact.
How to Break Up Large tcpdump Files
tcpdump
Related Solutions
Wireshark is probably the best, but if you want/need to look at the payload without loading up a GUI you can use the -X or -A options
tcpdump -qns 0 -X -r serverfault_request.pcap
14:28:33.800865 IP 10.2.4.243.41997 > 69.59.196.212.80: tcp 1097
0x0000: 4500 047d b9c4 4000 4006 63b2 0a02 04f3 E..}..@.@.c.....
0x0010: 453b c4d4 a40d 0050 f0d4 4747 f847 3ad5 E;.....P..GG.G:.
0x0020: 8018 f8e0 1d74 0000 0101 080a 0425 4e6d .....t.......%Nm
0x0030: 0382 68a1 4745 5420 2f71 7565 7374 696f ..h.GET./questio
0x0040: 6e73 2048 5454 502f 312e 310d 0a48 6f73 ns.HTTP/1.1..Hos
0x0050: 743a 2073 6572 7665 7266 6175 6c74 2e63 t:.serverfault.c
0x0060: 6f6d 0d0a 5573 6572 2d41 6765 6e74 3a20 om..User-Agent:.
0x0070: 4d6f 7a69 6c6c 612f 352e 3020 2858 3131 Mozilla/5.0.(X11
0x0080: 3b20 553b 204c 696e 7578 2069 3638 363b ;.U;.Linux.i686;
tcpdump -qns 0 -A -r serverfault_request.pcap
14:29:33.256929 IP 10.2.4.243.41997 > 69.59.196.212.80: tcp 1097
E..}..@.@.c.
...E;...^M.P..^w.G.......t.....
.%.}..l.GET /questions HTTP/1.1
Host: serverfault.com
There are many other tools for reading and getting stats, extracting payloads and so on. A quick look on the number of things that depend on libpcap in the debian package repository gives a list of 50+ tools that can be used to slice, dice, view, and manipulate captures in various ways.
For example.
I hope somebody is still interested in the solution to the problem. ;) We had the same issue in our company and I started writing a script for this.
I wrote a blog post about it with the source code and a screenshot.
I've also shared it below...
And the code: (Be sure to check my site for future updates)
#!/bin/bash
#===================================================================================
#
# FILE: dump.sh
# USAGE: dump.sh [-i interface] [tcpdump-parameters]
# DESCRIPTION: tcpdump on any interface and add the prefix [Interace:xy] in front of the dump data.
# OPTIONS: same as tcpdump
# REQUIREMENTS: tcpdump, sed, ifconfig, kill, awk, grep, posix regex matching
# BUGS: ---
# FIXED: - In 1.0 The parameter -w would not work without -i parameter as multiple tcpdumps are started.
# - In 1.1 VLAN's would not be shown if a single interface was dumped.
# NOTES: ---
# - 1.2 git initial
# AUTHOR: Sebastian Haas
# COMPANY: pharma mall
# VERSION: 1.2
# CREATED: 16.09.2014
# REVISION: 22.09.2014
#
#===================================================================================
# When this exits, exit all background processes:
trap 'kill $(jobs -p) &> /dev/null && sleep 0.2 && echo ' EXIT
# Create one tcpdump output per interface and add an identifier to the beginning of each line:
if [[ $@ =~ -i[[:space:]]?[^[:space:]]+ ]]; then
tcpdump -l $@ | sed 's/^/[Interface:'"${BASH_REMATCH[0]:2}"'] /' &
else
for interface in $(ifconfig | grep '^[a-z0-9]' | awk '{print $1}')
do
tcpdump -l -i $interface -nn $@ | sed 's/^/[Interface:'"$interface"'] /' &
done
fi
# wait .. until CTRL+C
wait
Related Topic
- Linux – How to run tcpdump on Centos right after reboot
- Tcpdump – how to check rate of packets
- Ssl – tcpdump Server Hello Certificate Filter
- Bash – One second delay before tcpdump returns packets
- Netstat says connection in SYN_SENT but tcpdump captures no data
- iptables – Tcpdump Shows Different Redirection Port After Adding REDIRECT Rule
Best Answer
I've used
editcapin the past, with great success.That command should generate one or more files named
smaller-out-00000,smaller-out-00001and so on, containing the firs, second, etc thousand packets from the input file.