Sake Blok, a Wireshark/Ethereal devotee since 1999, works as a Research & Development Engineer for ion-ip in the Netherlands (http://www.ionip.com) . His company provides solutions to customers who want to deliver their applications to users in a fast, secure, efficient and scalable manner. Sake\\\\\\\'s main focus is to take new products for a spin in their test environment, design custom solutions for customers and troubleshoot the problems customers might encounter while using ion-ip solutions. Two years ago (2006), Sake started to add the functionality he was missing to Wireshark. He also started to fix Wireshark-bugs that were reported on Bugzilla. This work on Wireshark resulted in an invitation from Gerald Combs to join the Wireshark Core Development Team in 2007.

1. Capture file manipulation Part I : packet selection August 2008

4. Use capinfos to get quick info (1) $ capinfos test01.cap File name: test01.cap File type: Wireshark/tcpdump/... - libpcap File encapsulation: Ethernet Number of packets: 7387 File size: 4194809 bytes Data size: 4076593 bytes Capture duration: 113.756167 seconds Start time: Wed Aug 13 19:47:53 2008 End time: Wed Aug 13 19:49:47 2008 Data rate: 35836.24 bytes/s Data rate: 286689.90 bits/s Average packet size: 551.86 bytes Average packet rate: 64.94 packets/s $

5. Use capinfos to get quick info (2) $ capinfos -ae test*cap File name: test01.cap Start time: Wed Aug 13 19:47:53 2008 End time: Wed Aug 13 19:49:47 2008 File name: test02.cap Start time: Wed Aug 13 19:49:47 2008 End time: Wed Aug 13 19:50:30 2008 File name: test03.cap Start time: Wed Aug 13 19:50:30 2008 End time: Wed Aug 13 19:51:27 2008 File name: test04.cap Start time: Wed Aug 13 19:51:27 2008 End time: Wed Aug 13 19:51:42 2008 $

6. Use tshark to extract packets $ tshark -r test03.cap -R "tcp.port==34421" -w port-34421.cap $ $ capinfos -aec test03.cap port-34421.cap File name: test03.cap Number of packets: 5900 Start time: Wed Aug 13 19:50:30 2008 End time: Wed Aug 13 19:51:27 2008 File name: port-34421.cap Number of packets: 110 Start time: Wed Aug 13 19:51:11 2008 End time: Wed Aug 13 19:51:19 2008 $ $ tshark -C clean -c 10 -r port-34421.cap 1 0.000000 192.168.1.46 -> 195.12.3.3 TCP 34421 > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=1 2 0.333175 195.12.3.3 -> 192.168.1.46 TCP http > 34421 [SYN, ACK] Seq=0 Ack=1 Win=17520 Len=0 MSS=1460 WS=0 3 0.333227 192.168.1.46 -> 195.12.3.3 TCP 34421 > http [ACK] Seq=1 Ack=1 Win=128000 Len=0 4 0.334018 192.168.1.46 -> 195.12.3.3 HTTP GET /images/menubar/menu_on_5.gif HTTP/1.1 5 0.615100 195.12.3.3 -> 192.168.1.46 TCP [TCP segment of a reassembled PDU] 6 0.615203 195.12.3.3 -> 192.168.1.46 HTTP HTTP/1.1 200 OK (GIF89a) 7 0.615241 192.168.1.46 -> 195.12.3.3 TCP 34421 > http [ACK] Seq=700 Ack=1473 Win=128000 Len=0 8 0.615849 192.168.1.46 -> 195.12.3.3 HTTP GET /images/buttonBG.gif HTTP/1.1 9 0.966606 195.12.3.3 -> 192.168.1.46 HTTP HTTP/1.1 200 OK (GIF89a) 10 0.967238 192.168.1.46 -> 195.12.3.3 HTTP GET /images/nav_02_dn.gif HTTP/1.1 $

7. Use mergecap to merge capture files $ tshark -r test03.cap -R "tcp.port==34421" -w tmp03.cap $ tshark -r test04.cap -R "tcp.port==34421" -w tmp04.cap $ mergecap -w port-34421.cap tmp03.cap tmp04.cap $ $ capinfos -aec tmp03.cap tmp04.cap port-34421.cap File name: tmp03.cap Number of packets: 110 Start time: Wed Aug 13 19:51:11 2008 End time: Wed Aug 13 19:51:19 2008 File name: tmp04.cap Number of packets: 64 Start time: Wed Aug 13 19:51:32 2008 End time: Wed Aug 13 19:51:36 2008 File name: port-34421.cap Number of packets: 174 Start time: Wed Aug 13 19:51:11 2008 End time: Wed Aug 13 19:51:36 2008 $

8. Use editcap to split capture files (1) <x> packets per file $ editcap -c 2500 test01.cap tmp01.cap $ $ capinfos -aec tmp01.cap* File name: tmp01.cap-00000 Number of packets: 2500 Start time: Wed Aug 13 19:47:53 2008 End time: Wed Aug 13 19:49:09 2008 File name: tmp01.cap-00001 Number of packets: 2500 Start time: Wed Aug 13 19:49:09 2008 End time: Wed Aug 13 19:49:27 2008 File name: tmp01.cap-00002 Number of packets: 2387 Start time: Wed Aug 13 19:49:27 2008 End time: Wed Aug 13 19:49:47 2008 $

9. Use editcap to split capture files (2) <x> seconds per file $ editcap -i 30 test01.cap tmp01.cap $ $ capinfos -ae tmp01.cap* File name: tmp01.cap-00000 Start time: Wed Aug 13 19:47:53 2008 End time: Wed Aug 13 19:48:17 2008 File name: tmp01.cap-00001 Start time: Wed Aug 13 19:48:30 2008 End time: Wed Aug 13 19:48:48 2008 File name: tmp01.cap-00002 Start time: Wed Aug 13 19:48:57 2008 End time: Wed Aug 13 19:49:23 2008 File name: tmp01.cap-00003 Start time: Wed Aug 13 19:49:23 2008 End time: Wed Aug 13 19:49:47 2008 $

10. Use editcap to select packets (1) by packet numbers $ editcap -r test01.cap tmp01.cap 1-10 21-30 Add_Selected: 1-10 Inclusive ... 1, 10 Add_Selected: 21-30 Inclusive ... 21, 30 $ $ capinfos -aec tmp01.cap File name: tmp01.cap Number of packets: 20 Start time: Wed Aug 13 19:47:53 2008 End time: Wed Aug 13 19:47:54 2008 $

11. Use editcap to select packets (2) by time $ editcap -A &quot;2008-08-13 19:48:00&quot; -B &quot;2008-08-13 19:48:59&quot; test01.cap tmp01.cap $ $ capinfos -aec tmp01.cap File name: tmp01.cap Number of packets: 844 Start time: Wed Aug 13 19:48:00 2008 End time: Wed Aug 13 19:48:59 2008 $

12. All together now :-) $ mergecap -w total.cap test*cap $ editcap -A &quot;2008-08-13 19:48:00&quot; -B &quot;2008-08-13 19:50:59&quot; total.cap clean.cap $ editcap -i 60 clean.cap by-minute.cap $ $ capinfos -ae by-minute.cap* File name: by-minute.cap-00000 Start time: Wed Aug 13 19:48:00 2008 End time: Wed Aug 13 19:48:59 2008 File name: by-minute.cap-00001 Start time: Wed Aug 13 19:49:01 2008 End time: Wed Aug 13 19:49:59 2008 File name: by-minute.cap-00002 Start time: Wed Aug 13 19:50:00 2008 End time: Wed Aug 13 19:50:59 2008 $