Sometimes it might be needed to open ”’big”’ network traffic capture files (a.k.a. .cap) . This challenge is commonly encountered since this sort of logging it is usually very verbose. Leaving a packet sniffer (such as tcpdump) overnight logging all the packets that go through a network interface card might generate several gigs of data.
WireShark (formerly known as Ethereal) is an excellent open source packet sniffer with a nice user interface (GUI) and available for many different platforms.
According to WireShark’s documentation:
Wireshark uses memory to store packet meta data (e.g. conversation and fragmentation related data) and to display this info on the screen.
How much memory actually used is depending on:
- the number of packets captured (well, depending on the capture duration and the network load on the line)
- the kind of packets captured (small/large packets, some packet types will lead to much more memory usage than others)
- the preference settings, e.g. the “TCP desegmentation” setting
In my experience (and with the capture files and Preference settings I’m usually working with), I need about ten times of memory than the actual capture file size. But again, this will largely depend on the things noted above.
Fortunately, WireShark includes a easy-to-use tool to manipulate capture files: editcap.
Editcap is able to do things like processing a huge capture file and extract the packet information that correspond to a certain period of time. This functionality is perfect if, let’s say, you have a 24 hours capture file and you know that problems were reported at a certain time. You could then extract a bunch of packets around that time, export this into a new file and open it using WireShark.
Editcap Usage
Usage: editcap [options] ... [ [-] ... ]
A single packet or a range of packets can be selected.
Packet selection:
-r keep the selected packets, default is to delete them
-A don't output packets whose timestamp is before the
given time (format as YYYY-MM-DD hh:mm:ss)
-B don't output packets whose timestamp is after the
given time (format as YYYY-MM-DD hh:mm:ss)
-d remove duplicate packets
Packet manipulation:
-s truncate each packet to max. bytes of data
-C chop each packet at the end by bytes
-t adjust the timestamp of each packet,
is in relative seconds (e.g. -0.5)
-E set the probability (between 0.0 and 1.0 incl.)
that a particular packet byte will be randomly changed
Output File(s):
-c split the packet output to different files,
with a maximum of each
-F set the output file type, default is libpcap
an empty "-F" option will list the file types
-T set the output file encapsulation type,
default is the same as the input file
an empty "-T" option will list the encapsulation types
Miscellaneous:
-h display this help and exit
-v verbose output
Editcap Example
This example extracts all the packet information corresponding to 4th July 2008, 6am to 7am and writes it into a new file, i.e.:
- Source file: 2008-07-04_capture.cap (813 MB)
- Destination file: 6to7.cap (48.5 MB)
editcap -A "2008-07-04 06:00:00" -B "2008-07-04 07:00:00" 2008-07-03_capture.cap 6to7.cap