I have a file called test1.pcap which contains ICMP, ARP, and UDP messages. I want to read test1.pcap and write to test2.pcap with only UDP messages.
I tried the following:
tcpdump -r test1.pcap udp -w test2.pcap
but the non udp messages - ICMP and ARP still show up in test2.pcap. I used wireshark to view the results.
Any suggestions?
Related
I have a 72 GB file that should have a small amount of ICMP packets in it. Wireshark cannot load it. I would like to use tshark or wireshark from the command line to read the file, filter out all the ICMP packets, and write them to a small file that I can then load into Wireshark. How can I do that?
You can use tshark with either of these commands:
tshark -r bigfile.pcap -Y "icmp" -w bigfile_icmp.pcap
tshark -r bigfile.pcap -2R "icmp" -w bigfile_icmp.pcap
The first one uses a Wireshark display filter while the second one uses a Wireshark read filter, but requires 2 passes, although I don't recall why read filters require 2 passes.
In Wireshark, you can also specify a read filter of icmp when opening the file. Do so via "File -> Open -> File name: bigfile.pcap, Read filter: icmp -> Open" This is also documented in the Wireshark User Guide.
I have a Protobuf serialized data that is being sent over UDP multicast. I read it using socat from bash as follows
socat UDP4-RECVFROM:1277,ip-add-membership=239.195.1.2:192.168.254.5,fork,reuseaddr -
I want to chain this with protoc in order to keep decoding data in every packet. How can I do that ?
When I do
socat UDP4-RECVFROM:1277,ip-add-membership=239.195.1.2:192.168.254.5,fork,reuseaddr - | protoc --decode=proto.Message ./path/to/proto/message.proto
The terminal just hangs. Not sure how to proceed.
The problem turned out to be in socat. remove the fork portion and it works great.
So essentially
socat UDP4-RECVFROM:1277,ip-add-membership=239.195.1.2:192.168.254.5,reuseaddr - | protoc --decode=proto.Message ./path/to/proto/message.proto
I am trying to simulate network latency for all traffic to a certain ip/url. I tried using a proxy through Charles but the traffic is going through HTTP or SOCKS. I found some information online but it does not seem to work for me. Can anyone see what is wrong with my commands?
#enable pf
pfctl -E
#add a temporary extra ruleset (called "anchor") named "deeelay
(cat /etc/pf.conf && echo "dummynet-anchor \"deeelay\"" && echo "anchor
\"deeelay\"") | sudo pfctl -f -
#add a rule to the deeelay set to send any traffic to endpoint through new rule
echo "dummynet out proto tcp from any to myurl.com pipe 1" |
sudo pfctl -a deeelay -f -
#Add a rule to dummynet pipe 1 to delay every packet by 500ms
sudo dnctl pipe 1 config delay 500
I see this warning when I run the commands:
No ALTQ support in kernel
ALTQ related functions disabled
Is that the issue?
The problem was the proto parameter. The application is not using tcp, it is using another protocol. You can either supply all the protocols you want as a list like so:
proto { tcp udp icmp ipv6 tlsp smp }
Or you can just remove the proto parameter altogether and it will do all protocols.
When i try to capture FTP packets tcpdump only captures packets which have not text from transmitted .txt file - they are only contains information about my command, directory etc.
I've used this command:
tcpdump src x.x.x.x and dst x.x.x.x and port ftp
try
tcpdump 'src x.x.x.x and dst x.x.x.x and (port ftp or ftp-data)'
(per http://www.tcpdump.org/tcpdump_man.html )
On Windows Does anyone know why "netstat -an -p tcp" doesn't display IPv6 addresses, but why "netstat -an" does display them?
I highly doubt it's resolving IPv6 addresses to IPv4s, but this is puzzlibg the hell out of me.
From netstat /? in console (or [MS.Docs]: Netstat):
-p proto Shows connections for the protocol specified by proto; proto
may be any of: TCP, UDP, TCPv6, or UDPv6. If used with the -s
option to display per-protocol statistics, proto may be any of:
IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
So, when specifying -p tcp, it only displays the TCPv4 connections (by filtering out all the rest), while not specifying any protocol, it displays them all (doesn't filter anything).