tcpdump(1) filter by date

Zaphod Beeblebrox zbeeble at gmail.com
Tue Nov 18 21:03:09 PST 2008


I don't know whether or not this has been fixed, but I found that I had to
recompile tcpslice and/or tcpdump to deal with files larger than 4 gig (or
maybe 2 gig).  I suppose it's a better situation than wireshark.  After a
few million packets, it falls over because it makes the widgets in the
scroller window for every packet in the file that's visible with the current
filter.  The memory from these widgets gets big fast.  On a 64 bit machine
... you can analyze a larger file --- and suck down a lot of swap... but on
a 32 bit machine, you run out of address space quickly.

On Tue, Nov 18, 2008 at 4:41 PM, David Wolfskill <david at catwhisker.org>wrote:

> [Cross-post to -questions elided, since I saw the message on -stable,
> and I'd like to discourage gratuitous cross-posting.  dhw]
>
> On Tue, Nov 18, 2008 at 07:30:39PM -0200, Eduardo Meyer wrote:
> > Hello,
> >
> > I have a kind big tcpdump file, which has data from the last week. I
> > want to dump information based on date. Can I do it without generating
> > a full output and later parse the headers?
>
> See the port net/tcpslice.
>
> Here's an excerpt from its man page:
>
> DESCRIPTION
>       Tcpslice  is  a  program  for extracting portions of packet-trace
> files
>       generated using tcpdump(l)'s -w flag.  It can also  be  used  to
>  merge
>       together several such files, as discussed below.
> ...
>       There  are  a number of ways to specify times.  The first is using
> Unix
>       timestamps of the form sssssssss.uuuuuu (this is the  format
>  specified
>       by  tcpdump's -tt flag).  For example, 654321098.7654 specifies 38
> sec-
>       onds and 765,400 microseconds after 8:51PM PDT, Sept. 25, 1990.
>
> > ...
>
> Peace,
> david
> --
> David H. Wolfskill                              david at catwhisker.org
> Depriving a girl or boy of an opportunity for education is evil.
>
> See http://www.catwhisker.org/~david/publickey.gpg<http://www.catwhisker.org/%7Edavid/publickey.gpg>for my public key.
>


More information about the freebsd-stable mailing list