Here is a script that can use tshark to split a large pcap to multiple small pcaps
max=$(tshark -r $inpcap -n -T fields -e frame.number|tail -1)
# This is the number of packets in each split pcap
# Save all new pcaps to out, if it does not exist, create it.
[[ ! -d out ]] && mkdir out
for i in $(seq 1 $max $c)
tshark -r $inpcap -n -c $c "frame.number==$i" -w out/$i.pcap
#Do other stuff, if required
read -p "Send the next packet? "
A very simple 3-4 line script that has saved my day so may times.
For installation :
sudo yum install dnstop
And now some description:
dnstop is a libpcap application (ala tcpdump) that displays various
tables of DNS traffic on your network.
dnstop supports both IPv4 and IPv6 addresses.
To help find especially undesirable DNS queries, dnstop provides a
number of filters.
dnstop can either read packets from the live capture device, or from a
Couple of days back, I realized there was too much network activity on my
system, although I was not doing anything. Fired up wireshark and to my
astonishment, there was too much of DNS traffic on the network. But the
problem was analyzing the data in wireshark and this is where dnstop came
into light. It helped me narrow down the issue within minutes and problems
And how to run it :
sudo dnstop eth1
Here is something that I had to do in couple of hours to check the logs. The problem was the log file was printing the Received and Sent message in the hex format. I had to verify if the messages were correct. So here is how to do it.
open(FP, \”<$ARGV\”)|| die \”File $ARGV does not exist\”;
while ($line = <FP>)
if ($line =~ /(Received :)|(Sending :)/)
@words = split(/\\|/, $words);
$received = $words;
# Convert to pcap using proprietery software.
system(\”tshark -r /tmp/amit.pcap -V|grep -E -i \”Amit\\|Agarwal\”\”); # The grep expression only displays the fields of interest.
Another techique that is quite helpful is to use different color for grep when you are searching for error/warning. This can be done using:
GREP_COLOR=\”01;31\” && tshark command