(tcp.port eq 50340 and tcp.port eq 443)" -o tcp.desegment_tcp_streams:FALSE -x > port_50340_ Note also that I have disabled TCP de-segmentation, if it is enabled then the last segment of a multi-packet segment will contain all of the bytes which is not what we want in this case. Also if you cannot run Wireshark for whatever reason (no GUI interface, not enough memory to process the large file), you still have an option.įirst you need to do a dump of the packets using the "-x" argument. Now at this point I have to say that wireshark may be able to "Export Specified Packets", it will work for the NetScaler trace but its grayed out for the Microsoft trace. $ tshark -r windows.cap -Y "tcp.port = 443" -w windows.pcapįigure 2b - tshark reading a file written by the Microsoft Message Analyzer Tshark: The capture file being read can't be written as a "pcapng" file.įigure 2a - tshark reading a netscaler file So t makes sense to try to extract only the packets that you are interested in and write them to a new file. $ time tshark -r netscaler.cap -Y "tcp.port = 50340" | wc -lįigure 1 - large file and the time needed to count frames in 1 TCP stream In figure 1 it took over 2 minutes to count 21 frames in an 800 megabyte file. tshark: The capture file being read can't be written as a "pcapng" file.Īnalyzing a large trace files can take time. Tshark: The capture file being read can't be written as a "pcapng" file.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |