Menu
Is there any easy way to create a pcap file for the packets related to a specific datetime range maybe using tshark, tcpdump or another commandline tool?
tshark -R with frame.time seems promising but I haven't been able to work that out yet...
EDIT
The final command:
editcap -F libpcap -A "2013-07-20 23:00:00" -B "2013-07-20 23:20:00" input.pcap output.pcap
846
To filter on TCP and UDP ports, use the port directive. This captures both TCP and UDP traffic using the specified port either as a source or destination port. It can be combined with tcp or udp to specify the protocol, and src or dst to specify a source or destination port.
To specify a capture filter, use tshark -f "${filter}" . For example, to capture pings or tcp traffic on port 80, use icmp or tcp port 80 . To see how your capture filter is parsed, use dumpcap.
Pcap expressions are a popular domain-specific language for packet filters, used extensively to capture network traffic during network monitoring or testing. The language is simple but made nontrivial by implicit subformulas and other features that can lead to unex- pected and unwanted results.
The interface name or the number can be supplied to the -i option to specify an interface on which to capture. This can be useful on systems that don't have a command to list them (UNIX systems lacking ifconfig -a or Linux systems lacking ip link show).
What you need is editcap. It's a command-line tool that is part of the Wireshark family.
Check out the man page at http://www.wireshark.org/docs/man-pages/editcap.html.
It takes a pcap file as input, and writes an output one. You may operate on the infile to filter content, for example, with start-time and end-time, packet number ranges, snap packet length, adjusting timestamps (!), etc. It's a great tool.
113
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
