When creating a tcpdump, you don’t want to exclude to much information, to prevent a trace becoming useless. However large output files can be a pain to load and examine in Wireshark. There are some solutions though.
Create multiple files
tcpdump -n -C 128 -W 100 -i eth0 -w /tmp/packetlog.pcap &
- -n don’t do reverse lookup on IPs, don’t convert port numbers to text descriptions, don’t convert MAC addesses to names, etc..
- -C 128 rotate capture files every 128,000,000 bytes (128MB)
- -W 100 limit the number of capture files being rotated (see -C) to 100
- -i eth0 capture on interface eth0
- -w /tmp/packetlogs/packetlog.pcap use file name /tmp/packetlogs/packetlog.pcap
- & this is parsed by bash; indicates that the command should be run in the background (asynchronously)
Split the output file into smaller chunks
how to split a pcap file into a set of smaller ones :
tcpdump -r old_file -w new_files -C 10
The “-C” option specifies the size of the file to split into. Eg: In the above case new files size will be 10 million bytes each.
Enjoy ! M.
Visitor Score
[Total: 0 Average: 0]