Wireshark · Ethereal-users: RE: [Ethereal-users] Export for post treatment

Ethereal-users: RE: [Ethereal-users] Export for post treatment

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "BUYCK Jacky FTRD/DMI/CAE" <jacky.buyck@xxxxxxxxxxxxxxxxxxxx>

Date: Wed, 26 Mar 2003 09:35:55 +0100

Hi.
	What I use in this case is a mix using tcpdump/ethereal for
capturing and tcpdump for post treatment for reducing or limiting the
capture file.

	Capture your networkpacket using tcpdump or ethereal in a file.
	After I use tcpdump with -r option to read the previous file but
I apply new filter to make better filtering. I write the result in a
file using -w option.
	But, like Guy have focus me don't forget the -s 0 or -s 65535
option during capturing to get the full length of the packets. ;)
	
	This way to do is only to make a better filtering on data
capture.

Command line :
	capturing : 		
		tcpdump -s 0 ['first_level_capture_filter'] -w
file.sniff
	better filtering :	
		tcpdump -r file.sniff 'better_filter_1' -w result1.sniff
		tcpdump -r file.sniff 'better_filter_2' -w result2.sniff
		...
	As you can see you can make the number of more targeted sniffing
you want.

	But I'm ok with Guy. For making other work with capture file the
only solution is using libpcap.


Jacky Buyck.



-----Message d'origine-----
De : Guy Harris [mailto:gharris@xxxxxxxxx]
Envoye : mercredi 26 mars 2003 07:49
A : Wenger Serge
Cc : 'ethereal-users@xxxxxxxxxxxx'
Objet : Re: [Ethereal-users] Export for post treatment


On Wed, Mar 26, 2003 at 07:44:54AM +0100, Wenger Serge wrote:
> How can I export data to csv, bin, hex, xml or another well defined
format
> to do these search in a post treatment.

You could either run Tethereal with the "-x" flag, or print to a file
and enable the hex dump; that gives you a text file that includes the
raw hex packet data.

I'm not sure what "bin" is.

You could also just write your own program to read an Ethereal capture,
given that its native format is just libpcap format; you could even try
writing it in Perl:

	http://search.cpan.org/author/TIMPOTTER/Net-Pcap-0.04/Pcap.pm

lets you read libpcap files - use Net::Pcap::open_offline to open the
capture file, and use Net::Pcap::loop to scan through the packets in the
file.

_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users

Prev by Date: Re: [Ethereal-users] Export for post treatment
Next by Date: RE: [Ethereal-users] disassociating with AP after few minutes
Previous by thread: Re: [Ethereal-users] Export for post treatment
Next by thread: [Ethereal-users] Text search/etc
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$