ret2libc
commented
7 years ago Have you tried something like sysdig -r test.scap "evt.num>=43566 and evt.num<=43590" -w test2.scap?
Closed viraptor closed 7 years ago
ret2libc
commented
7 years ago Have you tried something like sysdig -r test.scap "evt.num>=43566 and evt.num<=43590" -w test2.scap?
viraptor
commented
7 years ago Gasp... Genius @ret2libc ! ;) For some reason I expected this needs to be a sysdig cmdline argument. That definitely works.
Often when I'm looking at a large capture file, I'm only really interested in a small part that's easy to define after a few simple queries. After that, I could speed up the analysis a lot by just selecting only events number N to M, or some time range.
It would be useful as well for slicing big captures to send to other people.