selecting major flows at once in a huge pcap in wireshark - McMap

About

selecting major flows at once in a huge pcap in wireshark

Asked 17/4, 2012 at 12:0 Answered 23/4, 2012 at 17:8

Solved wireshark wireshark-dissector

C

1

1

i have a large pcap with more than 1000 tcp flows. i want to filter major flows say with packets greater than 100. if i go to conversations and right click on those flows, i can filter those flows, but then i have to do it several times and since i have huge pcap, it may exceed 100. is there any other quick display filter i can use which will give me flows having number of packets > n (n being any +ve integer).

say some filter like :

flow.num_pkt > 100

which can give me all such flows.

thanks a lot,

any help will be greatly appreciated.

Corvus answered 17/4, 2012 at 12:0 Comment(3)

Is Wireshark a requirement? It's super-easy by filtering Bro's connection logs. – Diestock 18/4, 2012 at 15:22

@MatthiasVallentin : thanks for the reply. can you plz let me know if Bro has all the features of wireshark ? Is it having some different features ? is it free ? thanks a lot again. – Corvus 23/4, 2012 at 8:44

Bro and Wireshark are quite different beasts. Bro is a powerful network analysis framework that you can script/code however you want. However, it does not provide a GUI like Wireshark. Bro is free software and comes with a BSD style license. – Diestock 23/4, 2012 at 17:10

D

4

Bro is an apt tool for connection-oriented analysis. To find the number of packets per flow, you run simply run Bro on the trace and extract the value from the logs:

bro -r trace.pcap
bro-cut id.orig_h id.orig_p id.resp_h id.resp_p orig_pkts resp_pkts < conn.log \
    | awk '$5+$6 > 100 {print $1,$2,$3,$4,$5,$6}' \
    | sort -rn -k 5 \
    | head

This gives the following output:

192.168.1.105 49325 137.226.34.227 80 73568 146244
192.168.1.105 49547 198.189.255.74 80 16764 57098
192.168.1.105 49531 198.189.255.74 80 5186 14843
192.168.1.105 49255 198.189.255.73 80 4749 32164
192.168.1.104 1422 69.147.86.184 80 2657 2656
192.168.1.105 49251 198.189.255.74 80 2254 13854
192.168.1.1 626 224.0.0.1 626 2175 0
192.168.1.105 49513 198.189.255.82 80 2010 3852
192.168.1.103 2026 151.207.243.129 80 1953 2570
192.168.1.105 49330 143.166.11.10 64334 1514 3101

The tool bro-cut ships with Bro and provides a convenient way to extract certain named columns from the logs. For this task, you want:

id.orig_h: IP of the connection originator (source)
id.orig_p: Transport-layer port of the connection originator (source)
id.resp_h: IP of the connection responder (destination)
id.resp_p: Transport-layer port of the connection responder (source)
orig_pkts: Number of packets sent by the originator
resp_pkts: Number of packets sent by the responder

Note the awk filter expression:

awk '$5+$6 > 100 {print ...}'

It restricts the output to those connections that have a total number of packets greater than 100.

Unless you have fixed-size packets, I encourage you to also investigate other metrics, such as packet size (IP or TCP payload). These are readily in the connection logs via the orig_bytes and resp_bytes columns.

Diestock answered 23/4, 2012 at 17:8 Comment(3)

thanks for the reply. after i filter the major flows, i want to save them in a new pcap file. can such a thing be possible with bro or somehow in wireshark as i asked earlier or any other tool. – Corvus 24/4, 2012 at 13:21

This is non-trivial with the current Bro 2.0, but the new packet capture framework in the upcoming release 2.1 should make this more easy. – Diestock 24/4, 2012 at 16:9

Note that contents.bro gives you quite similar functionality today: it writes the transport-layer byte stream (i.e., application payload) into a file. Check out this question for details. – Diestock 3/5, 2012 at 19:23

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.