search

f18m / large-pcap-analyzer

A command-line utility program that performs some simple operations on PCAP files (Wireshark/tcpdump traces) very quickly. Allows you to manipulate very large PCAP files that cannot be easily handled with other software like Wireshark (or tshark). Supports filtering encapsulated GTPu frames. Easily extendible.
GNU General Public License v3.0
98 stars 19 forks source link

The tcpdump-like filter fails to read and match linux cooked captures (with link type SLL) #9

Open beef9 opened 3 years ago

beef9 commented 3 years ago

Executing: $ large_pcap_analyzer captures.pcap -v -Y "src host X and src port Y" -w output_large_pcap/output.pcap on a 320MiB file yields:

Successfully compiled PCAP filter: src host X and src port Y Analyzing PCAP file 'captures.pcap'... The PCAP file has size 0.31GiB = 320MiB. Successfully opened output PCAP 'output_large_pcap/output.pcap' Processing took 0 seconds. 0M packets (939519 packets) were loaded from PCAP (matching PCAP filter). 0M packets (0 packets) matched the filtering criteria (search string / PCAP filters / TCP streams filter) and were saved into output PCAP.

I took the same file and converted all ethernet layers to correctly formatted ethernet headers (with src MAC and dst MAC addresses), and now it works:

Successfully compiled PCAP filter: src host X and src port Y Analyzing PCAP file 'captures_edited.pcapng'... The PCAP file has size 0.33GiB = 333MiB. Successfully opened output PCAP 'output_large_pcap/output.pcap' Processing took 0 seconds. 0M packets (939519 packets) were loaded from PCAP (matching PCAP filter). 0M packets (24312 packets) matched the filtering criteria (search string / PCAP filters / TCP streams filter) and were saved into output PCAP.

MHTTHM commented 3 years ago

hello, have you solved this problem? I had the same problem now.

beef9 commented 3 years ago

@MHTTHM

hello, have you solved this problem? I had the same problem now.

I used a tool compiled for windows, I can't remember the name now BUT I think I used the app named TraceWrangler. This tool can convert linux cooked headers to ethernet pseudo headers, but I don't think it stores the actual MAC addresses. So if you don't care about them, just go with this app.

MHTTHM commented 3 years ago

@MHTTHM

hello, have you solved this problem? I had the same problem now.

I used a tool compiled for windows, I can't remember the name now BUT I think I used the app named TraceWrangler. This tool can convert linux cooked headers to ethernet pseudo headers, but I don't think it stores the actual MAC addresses. So if you don't care about them, just go with this app.

thank you for your help!

f18m commented 3 years ago

Support for Linux cooked header should not be difficult to add... it's not a priority for me though... patches are welcome :)