Question

我有一个大的pcap文件，我试图拆分，我有一个IP地址列表。我想将pcap分成两个较小的pcaps。一个pcap将包含src等于我列表中的一个IP地址的所有数据包，一个pcap将包含其他所有数据包（dest等于列出的IP地址之一）。换句话说，一个pcap包括流入这些机器的所有数据包，一个pcap包括流出这些机器的所有数据包。所有数据包的src或dest都等于列出的IP之一。可以使用tcpdump完成吗？我真的更喜欢使用tcpdump，因为在我正在使用的Linux机器上安装任何其他工具对我来说将是一个很大的开销。

Answer 1

是的，你可以。

首先使用tcpdump -w FILE来记录数据包流：

$ sudo tcpdump -i eth0 -s0 -n -e -w /tmp/w.pcap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C123 packets captured
126 packets received by filter
0 packets dropped by kernel

然后使用tcpdump -r FILE阅读它。

$ tcpdump -n -r /tmp/w.pcap | head
20:48:38.498793 IP 192.168.250.10.22 > 192.168.250.1.49434: Flags [P.], seq 240912301:240912433, ack 2683174485, win 724, options [nop,nop,TS val 8711083 ecr 381715459], length 132
20:48:38.498968 IP 192.168.250.1.49434 > 192.168.250.10.22: Flags [.], ack 132, win 8183, options [nop,nop,TS val 381715490 ecr 8711083], length 0
20:48:40.945504 IP 192.168.250.10.68 > 192.168.250.254.67: BOOTP/DHCP, Request from 00:0c:29:48:aa:d6, length 300
20:48:40.946062 IP 192.168.250.254.67 > 192.168.250.10.68: BOOTP/DHCP, Reply, length 300
20:48:41.045549 IP 192.168.250.10.33131 > 109.231.72.179.22: Flags [S], seq 724706181, win 29200, options [mss 1460,sackOK,TS val 8711720 ecr 0,nop,wscale 6], length 0
20:48:42.539655 IP 192.168.250.1.49471 > 192.168.250.10.22: Flags [S], seq 3387751538, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 381719336 ecr 0,sackOK,eol], length 0
20:48:42.539703 IP 192.168.250.10.22 > 192.168.250.1.49471: Flags [S.], seq 3352023725, ack 3387751539, win 28960, options [mss 1460,sackOK,TS val 8712093 ecr 381719336,nop,wscale 6], length 0
20:48:42.539782 IP 192.168.250.1.49471 > 192.168.250.10.22: Flags [.], ack 1, win 8235, options [nop,nop,TS val 381719336 ecr 8712093], length 0
20:48:42.540066 IP 192.168.250.1.49471 > 192.168.250.10.22: Flags [P.], seq 1:22, ack 1, win 8235, options [nop,nop,TS val 381719336 ecr 8712093], length 21
20:48:42.540078 IP 192.168.250.10.22 > 192.168.250.1.49471: Flags [.], ack 22, win 453, options [nop,nop,TS val 8712093 ecr 381719336], length 0

要过滤掉特定主机，只需使用标准tcpdump命令行，例如：

$ tcpdump -n -r /tmp/w.pcap host 8.8.8.8 | head
reading from file /tmp/w.pcap, link-type EN10MB (Ethernet)
20:48:47.595511 IP 192.168.250.10 > 8.8.8.8: ICMP echo request, id 10742, seq 1, length 64
20:48:47.603743 IP 8.8.8.8 > 192.168.250.10: ICMP echo reply, id 10742, seq 1, length 64
20:48:48.597758 IP 192.168.250.10 > 8.8.8.8: ICMP echo request, id 10742, seq 2, length 64
20:48:48.606064 IP 8.8.8.8 > 192.168.250.10: ICMP echo reply, id 10742, seq 2, length 64
20:48:49.600303 IP 192.168.250.10 > 8.8.8.8: ICMP echo request, id 10742, seq 3, length 64
20:48:49.610471 IP 8.8.8.8 > 192.168.250.10: ICMP echo reply, id 10742, seq 3, length 64

或排除该主机：

$ tcpdump -n -r /tmp/w.pcap not host 8.8.8.8 | head
reading from file /tmp/w.pcap, link-type EN10MB (Ethernet)
20:48:38.498793 IP 192.168.250.10.22 > 192.168.250.1.49434: Flags [P.], seq 240912301:240912433, ack 2683174485, win 724, options [nop,nop,TS val 8711083 ecr 381715459], length 132
20:48:38.498968 IP 192.168.250.1.49434 > 192.168.250.10.22: Flags [.], ack 132, win 8183, options [nop,nop,TS val 381715490 ecr 8711083], length 0
20:48:40.945504 IP 192.168.250.10.68 > 192.168.250.254.67: BOOTP/DHCP, Request from 00:0c:29:48:aa:d6, length 300
20:48:40.946062 IP 192.168.250.254.67 > 192.168.250.10.68: BOOTP/DHCP, Reply, length 300
20:48:41.045549 IP 192.168.250.10.33131 > 109.231.72.179.22: Flags [S], seq 724706181, win 29200, options [mss 1460,sackOK,TS val 8711720 ecr 0,nop,wscale 6], length 0
20:48:42.539655 IP 192.168.250.1.49471 > 192.168.250.10.22: Flags [S], seq 3387751538, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 381719336 ecr 0,sackOK,eol], length 0
20:48:42.539703 IP 192.168.250.10.22 > 192.168.250.1.49471: Flags [S.], seq 3352023725, ack 3387751539, win 28960, options [mss 1460,sackOK,TS val 8712093 ecr 381719336,nop,wscale 6], length 0
20:48:42.539782 IP 192.168.250.1.49471 > 192.168.250.10.22: Flags [.], ack 1, win 8235, options [nop,nop,TS val 381719336 ecr 8712093], length 0
20:48:42.540066 IP 192.168.250.1.49471 > 192.168.250.10.22: Flags [P.], seq 1:22, ack 1, win 8235, options [nop,nop,TS val 381719336 ecr 8712093], length 21
20:48:42.540078 IP 192.168.250.10.22 > 192.168.250.1.49471: Flags [.], ack 22, win 453, options [nop,nop,TS val 8712093 ecr 381719336], length 0

您可以使用tcpdump -n -r /tmp/w.pcap host 8.8.8.8 or host 8.8.4.4或类似内容来执行主机列表。

在多个IP地址上拆分pcap

1 个答案: