Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The tcpdump-like filter fails to read and match linux cooked captures (with link type SLL) #9

Open
beef9 opened this issue Mar 10, 2021 · 4 comments
Open

The tcpdump-like filter fails to read and match linux cooked captures (with link type SLL) #9

beef9 opened this issue Mar 10, 2021 · 4 comments
Labels
help wanted

Comments

@beef9
Copy link

beef9 commented Mar 10, 2021

Executing:
$ large_pcap_analyzer captures.pcap -v -Y "src host X and src port Y" -w output_large_pcap/output.pcap on a 320MiB file yields:

Successfully compiled PCAP filter: src host X and src port Y
Analyzing PCAP file 'captures.pcap'...
The PCAP file has size 0.31GiB = 320MiB.
Successfully opened output PCAP 'output_large_pcap/output.pcap'
Processing took 0 seconds.
0M packets (939519 packets) were loaded from PCAP (matching PCAP filter).
0M packets (0 packets) matched the filtering criteria (search string / PCAP filters / TCP streams filter) and were saved into output PCAP.

I took the same file and converted all ethernet layers to correctly formatted ethernet headers (with src MAC and dst MAC addresses), and now it works:

Successfully compiled PCAP filter: src host X and src port Y
Analyzing PCAP file 'captures_edited.pcapng'...
The PCAP file has size 0.33GiB = 333MiB.
Successfully opened output PCAP 'output_large_pcap/output.pcap'
Processing took 0 seconds.
0M packets (939519 packets) were loaded from PCAP (matching PCAP filter).
0M packets (24312 packets) matched the filtering criteria (search string / PCAP filters / TCP streams filter) and were saved into output PCAP.
@MHTTHM
Copy link

MHTTHM commented Jun 7, 2021

hello, have you solved this problem?
I had the same problem now.

@beef9
Copy link
Author

beef9 commented Jun 14, 2021

@MHTTHM

hello, have you solved this problem?
I had the same problem now.

I used a tool compiled for windows, I can't remember the name now BUT I think I used the app named TraceWrangler.
This tool can convert linux cooked headers to ethernet pseudo headers, but I don't think it stores the actual MAC addresses. So if you don't care about them, just go with this app.

@MHTTHM
Copy link

MHTTHM commented Jun 15, 2021

@MHTTHM

hello, have you solved this problem?
I had the same problem now.

I used a tool compiled for windows, I can't remember the name now BUT I think I used the app named TraceWrangler.
This tool can convert linux cooked headers to ethernet pseudo headers, but I don't think it stores the actual MAC addresses. So if you don't care about them, just go with this app.

thank you for your help!

@f18m
Copy link
Owner

f18m commented Jun 15, 2021

Support for Linux cooked header should not be difficult to add... it's not a priority for me though... patches are welcome :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@f18m @MHTTHM @beef9