Carving and Parsing Packet Captures

Let’s say you deal with HUGE packet captures and you need to parse or carve out certain types of packets or conversations from the source.

This is particularly true for folks that use Ring Buffers, or folks who do huge captures over long time period with fast interfaces.  If you do this you start to learn very quickly about the Wireshark command line tools as well as other tools that apply to these needs.  Here is a list:

command line tools

Let’s say we start with a bunch of capture files in a sub-directory.  Merging them is probably a bad idea since they are big to start with.  Also mergecap has a limit of 2,000 files.

The parsing or carving process is essentially a filtering exercise.  In other words, we need to create a display filter syntax that ends up creating a new set of files.

Tip #1 – Use Read Only

My first tip is that you should protect these captures so that you don’t incidentally change the original captures.  To do this set the read only flag on those captures.  You do this by simply right clicking on the file (in Windows) and then selecting Properties.  On the properties screen you can select the “Read Only” tick box and click on OK.  Simple but very important.

Tip #2 – Create a Batch File

The second tip is to create an editable batch file that does two things: first it creates a subdirectory where the output of the parsing/carving process will create new .pcap files, second have the command line that will process the original file(s) with the appropriate filtering.

Example 1: Let’s carve out all the DNS packets from multiple files.

Remember the first line below makes a new directory, and the second line triggers the parsing/filtering:

mkdir dns

for %%a in (*.pcapng) do tshark -r %%a -Y “dns” -w dns/%%a

What are the items above?

  • %%a is all the files in the directory we are working
  • -r is read the filename we are currectly working on
  • -Y is the  display filter
  • -w means write to the /dns subdirectory that we made in line 1, and use the filenames

Note: if you simply type these commands from the command line you only need one % sign.

Example 2: Let’s carve out just the TCP essential packets.

Remember the first line below makes a new directory, and the second line triggers the parsing/filtering:

mkdir tcp

for %%a in (*.pcapng) do tshark -r %%a -Y “tcp.flags.syn==1 or tcp.flags.fin==1 or tcp.flags.reset==1” -w tcp/%%a

Note: if you simply type these commands from the command line you only need one % sign.

Example 3: Let’s carve out packets by VLAN ID.

Remember the first line below makes a new directory, and the second line triggers the parsing/filtering:

mkdir vlan7

for %%a in (*.pcapng) do tshark -r %%a -Y “vlan.id==7” -w vlan7/%%a

Note: if you simply type these commands from the command line you only need one % sign.

 

We hope this helps those of you who deal with enormous or large numbers of captures.

If you have another example you think we should have here, please let me know: andyw@cellstream.com

Enjoy!

 I hope you find this article and its content helpful.  Comments are welcomed below.  If you would like to see more articles like this, please support us by clicking the patron link where you will receive free bonus access to courses and more, or simply buying us a cup of coffee!, and all comments are welcome! 

Leave a Comment

Contact Us Here


Please verify.
Validation complete :)
Validation failed :(
 
Your contact request has been received. We usually respond within an hour, but please be patient. We will get back to you very soon.
Scroll to Top