0

I'm trying to export a subset of a pcap file given a start and an end message, this start and end message identification is currently done using ngrep on the raw data(because we have no dissector for the specific protocol)

Ideally I would like to get the frame # in the pcap file of the identified start and end message and filter using it. Unfortunately ngrep is not able to display a frame # (as in the first column if I look in wireshark) so the only "unique" identifier I can think of is the time stamp.

Next I'm trying to filter the original pcap file by time stamp range but run into problems with editcap and tshark not supporting sub second time stamp format as input, giving me a lot of superfluous data.

Suggestions on how to handle this in a good way? Open to alternative tools and way of attacking the problem.

Kristofer
  • 113
  • 1
  • 7

1 Answers1

0

Decided to add an additional step into the pipeline in order to solve the problem, solution now looks like this:

capture -> ngrep to identify start and end fram + grab their timestamp -> tshark with time stamp range + grab frame #'s from output -> editcap to create a new pcap subset file given start frame # and end frame # from previous step.

Kristofer
  • 113
  • 1
  • 7