tcpdump mailing list archives
Re: multiple pcap files from stdin
From: George Bakos <gbakos () ists dartmouth edu>
Date: Sat, 19 Apr 2003 15:54:52 -0400
tcpslice is a separate utility that isn't actively maintained, although some packagers do bundle it with tcpdump. IMHO, mergecap is a better choice for merging, while tcpslice performs more like a database query tool, using timestamps as key fields. One critical limitaion when merging dumpfiles is a fatal inability to handle pcap files with fewer than two packets. ISTS's version of Shadow, shadowias-1.8 (intrusion analysis system), makes up for this limitayion by first excluding empty dumpfiles, then cloning the existing record in single-packet files, effectively creating two-packet files with start & end times acceptable to tcpslice. Again, if mergecap is available, it is the preferred utility. There will be a posting here shortly announcing availablility of shadowias-1.8 Cheers. On Sat, 19 Apr 2003 11:11:24 -0700 (PDT) "Steve Bonds" <pow7yec02 () sneakemail com> wrote:
On Sat, 19 Apr 2003, Michael L. Artz dragon-at-october29.net |TCPdump Workers| wrote:Is there a way for me to pipe multiple pcap files to tcpdump on stdin, such as: cat file1.pcap file2.pcap | tcpdump -r -The utility "tcpslice", included with tcpdump will do this for you. It can also slice up a single capture based on timestamps. In your example you would use: tcpslice file1.pcap file2.pcap | tcpdump -r - -- Steve - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
-- George Bakos Institute for Security Technology Studies - IRIA Dartmouth College gbakos () ists dartmouth edu 603.646.0665 -voice 603.646.0666 -fax - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- multiple pcap files from stdin Michael L. Artz (Apr 19)
- Re: multiple pcap files from stdin Marco van den Bovenkamp (Apr 19)
- Re: multiple pcap files from stdin Guy Harris (Apr 19)
- Re: multiple pcap files from stdin itojun (Apr 20)
- <Possible follow-ups>
- Re: multiple pcap files from stdin Steve Bonds (Apr 19)
- Re: multiple pcap files from stdin George Bakos (Apr 19)