Split pcap to multiple files based on number of packets

Here is a script that can use tshark to split a large pcap to multiple small pcaps



max=$(tshark  -r $inpcap -n -T fields -e frame.number|tail -1)

# This is the number of packets in each split pcap

# Save all new pcaps to out, if it does not exist, create it.
[[ ! -d out ]] && mkdir out

for i in $(seq 1 $max $c)
        tshark  -r $inpcap  -n -c $c "frame.number==$i" -w out/$i.pcap
        #Do other stuff, if required
        read -p "Send the next packet? "

A very simple 3-4 line script that has saved my day so may times.


Edit: I found a nice tcpdump cheatsheet https://comparite.ch/tcpdumpcs

dnstop – top like utility for Fedora and other *nix

For installation :

sudo yum install dnstop

And now some description:

dnstop is a libpcap application (ala tcpdump) that displays various
tables of DNS traffic on your network.

dnstop supports both IPv4 and IPv6 addresses.

To help find especially undesirable DNS queries, dnstop provides a
number of filters.

dnstop can either read packets from the live capture device, or from a
tcpdump savefile.

Couple of days back, I realized there was too much network activity on my
system, although I was not doing anything. Fired up wireshark and to my
astonishment, there was too much of DNS traffic on the network. But the
problem was analyzing the data in wireshark and this is where dnstop came
into light. It helped me narrow down the issue within minutes and problems

And how to run it :

sudo dnstop eth1


Enhanced by Zemanta

log analysis with perl and wireshark decode.

Here is something that I had to do in couple of hours to check the logs. The problem was the log file was printing the Received and Sent message in the hex format. I had to verify if the messages were correct. So here is how to do it.

open(FP, \”<$ARGV[0]\”)|| die \”File $ARGV[0] does not exist\”;
while ($line = <FP>)

if ($line =~ /(Received :)|(Sending :)/)


@words = split(/\\|/, $words[4]);
$received = $words[1];

# Convert to pcap using proprietery software.
system(\”tshark -r /tmp/amit.pcap -V|grep -E -i \”Amit\\|Agarwal\”\”); # The grep expression only displays the fields of interest.


Another techique that is quite helpful is to use different color for grep when you are searching for error/warning. This can be done using:

GREP_COLOR=\”01;31\” && tshark command