tcpdump(1) filter by date

Eduardo Meyer dudu.meyer at gmail.com
Tue Nov 18 13:30:41 PST 2008


Hello,

I have a kind big tcpdump file, which has data from the last week. I
want to dump information based on date. Can I do it without generating
a full output and later parse the headers?

Say, I want to filter by date in the <expression> filter and not with

tcpdump -r dumpfile | awk '{<some-black-magic-here}'

Because sometimes I want o search the full packet content (-vvv, -XX,
-T, ...) by date, and as its a huge file, dumpling everthing and
parsing it later on run-time wound consume too much memory (its a
couple of GBs file).

Thank you all, but I could not find a "date" keyword for filtering expression.

However, counting by packets sequence would also fit my needs because
the need is to, say, "analyse until a certain point" and later
"continue analysing from where I stopped", so, lets say

tcpdump -r dumpfile -c 10000

Would allow me to read the first 10000 packets from the dumpfile.
Later I would need to keep doing my job from packet 10001 to 20000.
The "date" question is because I can check the precise epoch timestamp
of the last packet I have read and later, ask tcpdump to print -c
<count> number of packets starting from the epoch-formatted date I
have paused my work later.

Sometimes I will also need this for pflog files, so, I would
appreciate any tips to do this with tcpdump custom files or pflog
generated files if there is anything would fit for one situation but
not for another.

Thank you all in advance.



-- 
===========
Eduardo Meyer
pessoal: dudu.meyer at gmail.com
profissional: ddm.farmaciap at saude.gov.br


More information about the freebsd-stable mailing list