Re: pcap flow extraction

["Ivan ." <ivanhec () gmail com>]

Hi Richard,

Thanks for the info, the argus command line works a treat, with a little
massaging with sed I have something workable.

The tshark command does not work with such a large pcap file, it just errors
with 'could not be opened: value too large for defined data type"

thanks
Ivan

On Dec 9, 2007 3:47 PM, Richard Bejtlich <taosecurity () gmail com> wrote:

> Ivan wrote:
>
> > Does anyone have any ideas for flow information extraction from a rather
> > large pcap file, 6 gigs?
> >
> > I am after the standard stuff, source, destination, service.
> >
> > Ethereal/wireshark is a no go, as it won't process the file due to size,
> > tcpflow is OK, but a little untidy.
> >
> > any suggestions are appreciated, preferably open source and also
> > has anyone used "tcpdstat" for something like this?
>
> Ivan,
>
> Argus (qosient.com/argus) is your friend, e.g:
>
> argus -r your.pcap -w - | ra -n -z -L0
>
> Russ McRee wrote a nice Argus 3 intro here:
>
> http://holisticinfosec.org/toolsmith/docs/november2007.pdf
>
> Tcpdstat is not the right tool for this task.  If you do want summary
> stats, Tshark does a better job:
>
> tshark -n -r your.pcap -q -z io,phs
>
> I cover these in my books and blog.
>
> Sincerely,
>
> Richard
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/