Hi Richard, Thanks for the info, the argus command line works a treat, with a little massaging with sed I have something workable.
The tshark command does not work with such a large pcap file, it just errors with 'could not be opened: value too large for defined data type" thanks Ivan On Dec 9, 2007 3:47 PM, Richard Bejtlich <[EMAIL PROTECTED]> wrote: > Ivan wrote: > > > Does anyone have any ideas for flow information extraction from a rather > > large pcap file, 6 gigs? > > > > I am after the standard stuff, source, destination, service. > > > > Ethereal/wireshark is a no go, as it won't process the file due to size, > > tcpflow is OK, but a little untidy. > > > > any suggestions are appreciated, preferably open source and also > > has anyone used "tcpdstat" for something like this? > > Ivan, > > Argus (qosient.com/argus) is your friend, e.g: > > argus -r your.pcap -w - | ra -n -z -L0 > > Russ McRee wrote a nice Argus 3 intro here: > > http://holisticinfosec.org/toolsmith/docs/november2007.pdf > > Tcpdstat is not the right tool for this task. If you do want summary > stats, Tshark does a better job: > > tshark -n -r your.pcap -q -z io,phs > > I cover these in my books and blog. > > Sincerely, > > Richard > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
