Currently I have some traffic being forwarded to a machine in a data center, this machine has a PCAP script running to grab all of this traffic. After X period of time the files are compressed using 7 zip to make the files as small as possible.
The work flow at the moment involves collecting the files directly from the data center and uploading to a work machine for analysis. We have access to another machine on the network not in the data center and would like to collect the files over the network. The only problem is that the PCAP then includes this transfer in the files and as they are already compressed causes the files to balloon in size, going from sub 10 MB to 80 MB+.
It is important to collect all of the network traffic so I was hoping just to filter out transfers between these two machines rather than specifying all of the connections I need to capture.
I tried adding:
"-f not src net 10.213.121.13" "-f not host 10.213.121.13" to the script, but in both cases it complained about a syntax issue. Any ideas of how to accomplish this would be appreciated.
Script:
dumpcap -i1 -b filesize:100000 files:200 -f not src net 10.213.121.13 -w C:\WIRESHARK_LOGS\log_dumpcap
答案 0 :(得分:1)
问题是dumpcap 需要引用过滤器表达式,与TCPDump不同,它可以被引用(如果它包含BPF过滤器或其他shell,则需要引号)消化的人物)。因此,以下内容应该可以解决您的问题:
dumpcap -i1 -b filesize:100000 files:200 -f 'not src host 10.213.121.13' -w C:\WIRESHARK_LOGS\log_dumpcap
但是,我假设您将使用TCP传输文件。如果是这样的话,你真的不想要ACK包,所以:
dumpcap -i1 -b filesize:100000 files:200 -f 'not host 10.213.121.13' -w C:\WIRESHARK_LOGS\log_dumpcap