0

I want filter first 100 packets inside a pcap file and show the result on stdout. for filtering first 100 packet I used below command:

editcap -r test.pcap output.pcap 1-100

for showing result and filtering packet for the further purpose I want to used tcpdump.

tcpdump -tttt tcp and host ip 192.168.1.1 -r inputfile.pcap

i want to redirect output of editcap to tcpdump, like this:

editcap -r test.pcap - | tcpdump -tttt tcp and host ip 192.168.1.1 -r -

but in this command I couldnt filter first 100 packets. Is it possible to do so?? If not is it possible to rediredt output of editcap to RAM and then the tcpdump read from RAM ??

thanks in advanced.

P.S by the way, I don't want to use the below command, because this command read the all Packet inside the file. I need the command read some packets inside he pcap file and shows then was finished the job.

tshark -r ~/test1.pcap  -R "frame.number<20 and frame.number>10"
omid
  • 37
  • 1
  • 9

1 Answers1

0

but in this command I couldnt filter first 100 packets

I.e., you don't see any packets?

Try doing

editcap -F pcap -r test.pcap - 1-100 | tcpdump -tttt tcp and host ip 192.168.1.1 -r -

as editcap might be writing out a pcap-ng file and there is a bug in some versions of libpcap when reading pcap-ng files that causes filtering in tcpdump not to work.

  • in provided command you didn't put any switch in editcap or tcpdump to filter first 100 frames in pcap file. in editcap should put 1-100 at end of command like as editcap -r test.pcap output.pcap 1-100. let me clear my question, I want to filter packets in pcap file with BPF filters and some filter to show spesifice frame numbers. the first BPF filter it is ok , but I want put some filter to show from frame number 10 to 20. in editcap I put 10-20 at the end of command and it works perfectly, because the editcap doesn't have BPF filter I want PIPE output to tcpdump command. – omid Aug 04 '15 at 06:31
  • this command (tshark -r ~/test1.pcap -R "frame.number<20 and frame.number>10") provides what I want but the problem is tshark reads entire pcap file. the advantage of editcap to tshark is editcap doesn't read entire pcap file, just specific frames in command. – omid Aug 04 '15 at 06:37
  • I edited the command in the answer to select the first 100 packets. –  Aug 04 '15 at 07:53