editcap: pcap文件的合并和分隔
source link: http://abcdxyzk.github.io/blog/2018/06/11/command-editcap/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
editcap: pcap文件的合并和分隔
2018-06-11 02:49:00
centos7 editcap 半静态编译
https://www.wireshark.org/download/src/wireshark-2.6.1.tar.xz
./configure CFLAGS=-static
make CFLAGS=-static
# CFLAGS=-static 不能完全起作用,
# 通过在 ./libtool 中增加 set -x 后得知 editcap 的链接命令,修改后如下
gcc -std=gnu99 -Wall -Wextra -Wendif-labels -Wpointer-arith -Wformat-security -fwrapv -fno-strict-overflow -fno-delete-null-pointer-checks -Wvla -Waddress -Wattributes -Wdiv-by-zero -Wignored-qualifiers -Wpragmas -Wno-overlength-strings -Wno-long-long -Wc++-compat -Wshadow -Wno-pointer-sign -Wold-style-definition -Wstrict-prototypes -Wlogical-op -Wjump-misses-init -Werror=implicit -fexcess-precision=fast -fvisibility=hidden -Wl,-Bstatic -o editcap editcap-editcap.o editcap-version_info.o -pthread -Wl,-Bstatic ui/libui.a wiretap/.libs/libwiretap.a /usr/local/wireshark/wireshark-2.6.1/wsutil/.libs/libwsutil.a wsutil/.libs/libwsutil.a -lgnutls -lgthread-2.0 -lgmodule-2.0 -lglib-2.0 -lgcrypt -lgpg-error -lz -lm -pthread -Wl,-Bdynamic -lgcc_s -ldl
glib2-2.42.2-5.el7.src.rpm
libgcrypt-1.5.3-12.el7_1.1.src.rpm
libgpg-error-1.12-3.el7.src.rpm
gnutls-3.3.8-14.el7_2.src.rpm
以上部分需要 make CFLAGS=-static 才能生成*.a
wireshark-1.10.14-7.el7.src.rpm
wireshark-1.10.14-7.el7.src.rpm 的./configure CFLAGS=-static和make CFLAGS=-static过不了,无法使用。。。
http://qwxingren.blog.sohu.com/304463885.html
使用wireshark自带的editcap。我们的系统Centos 5.8,执行 yum install wireshark,就已经安装了editcap。
1. 根据时间来拆分,利用-A 起始时间和-B 截止时间来提去某个时间段的数据。
用法:editcap -A <起始时间> -B <截止时间> <源文件名> <目的文件名>
editcap -A "2014-07-12 12:55:00" -B "2014-07-12 12:56:00" eth0-rtp.cap out_rtp.cap2.按packge数量拆分为多个文件
用法:editcap -c <每个文件的包数> <源文件名> <目的文件名>
editcap -c 100 dump.pcap test.pcap在wireshark中通过filter过滤出sip信令,但是在多个文件中,megecap可以将多个pcap文件合并为一个文件。
用法:mergecap -w <输出文件> <源文件1> <源文件2> …
mergecap -w compare.pcap a.pcap b.pcapPosted by kk
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK