From: Vadim Kochan <vadi...@gmail.com> It might be useful to filter out interesting traffic from input pcap to output pcap file which will contain only filtered packets:
$ netsniff-ng -i input.pcap -o output.pcap ip src 192.168.1.198 Now it is possible by specifying output pcap file with ".pcap" extension, otherwise the trafgen file will be generated as by default. Signed-off-by: Vadim Kochan <vadi...@gmail.com> --- netsniff-ng.8 | 5 +++-- netsniff-ng.c | 23 +++++++++++++++++++++-- 2 files changed, 24 insertions(+), 4 deletions(-) diff --git a/netsniff-ng.8 b/netsniff-ng.8 index b6f129a..0884959 100644 --- a/netsniff-ng.8 +++ b/netsniff-ng.8 @@ -78,8 +78,9 @@ file that should not have the default pcap type (0xa1b2c3d4), the additional option \[lq]\-T\[rq] must be provided. If a directory is given, then, instead of a single pcap file, multiple pcap files are generated with rotation based on maximum file size or a given interval (\[lq]\-F\[rq] option). A trafgen configuration -file can currently only be specified if the input device is a pcap file. If -stdout is given as a device, then a trafgen configuration will be written to +file can currently only be specified if the input device is a pcap file. To +specify output device as pcap file the output file name must contain ".pcap" extension. +If stdout is given as a device, then a trafgen configuration will be written to stdout if the input device is a pcap file, or a pcap file if the input device is a networking device. .PP diff --git a/netsniff-ng.c b/netsniff-ng.c index 477c81d..e73c1a8 100644 --- a/netsniff-ng.c +++ b/netsniff-ng.c @@ -528,6 +528,8 @@ static void read_pcap(struct ctx *ctx) struct sock_fprog bpf_ops; struct frame_map fm; struct timeval start, end, diff; + bool is_out_pcap = ctx->device_out && strstr(ctx->device_out, ".pcap"); + const struct pcap_file_ops *pcap_out_ops = pcap_ops[PCAP_OPS_RW]; bug_on(!__pcap_io); @@ -537,7 +539,8 @@ static void read_pcap(struct ctx *ctx) if (ctx->pcap == PCAP_OPS_MM) ctx->pcap = PCAP_OPS_SG; } else { - fd = open_or_die(ctx->device_in, O_RDONLY | O_LARGEFILE | O_NOATIME); + fd = open_or_die(ctx->device_in, O_RDONLY | O_LARGEFILE | + O_NOATIME); } if (__pcap_io->init_once_pcap) @@ -574,6 +577,13 @@ static void read_pcap(struct ctx *ctx) } } + if (is_out_pcap) { + int rc = pcap_out_ops->push_fhdr_pcap(fdo, ctx->magic, + ctx->link_type); + if (rc) + panic("Error writing pcap header!\n"); + } + drop_privileges(ctx->enforce, ctx->uid, ctx->gid); printf("Running! Hang up with ^C!\n\n"); @@ -612,8 +622,16 @@ static void read_pcap(struct ctx *ctx) dissector_entry_point(out, fm.tp_h.tp_snaplen, ctx->link_type, ctx->print_mode); - if (ctx->device_out) + if (is_out_pcap) { + int pcap_len = pcap_get_length(&phdr, ctx->magic); + int wlen = pcap_out_ops->write_pcap(fdo, &phdr, + ctx->magic, out, pcap_len); + + if (unlikely(wlen != (int)pcap_get_total_length(&phdr, ctx->magic))) + panic("Write error to pcap!\n"); + } else if (ctx->device_out) { translate_pcap_to_txf(fdo, out, fm.tp_h.tp_snaplen); + } if (frame_count_max != 0) { if (ctx->tx_packets >= frame_count_max) { @@ -1132,6 +1150,7 @@ static void __noreturn help(void) " netsniff-ng --in wlan0 --rfraw --out dump.pcap --silent --bind-cpu 0\n" " netsniff-ng --in dump.pcap --mmap --out eth0 -k1000 --silent --bind-cpu 0\n" " netsniff-ng --in dump.pcap --out dump.cfg --silent --bind-cpu 0\n" + " netsniff-ng --in dump.pcap --out dump2.pcap --silent tcp\n" " netsniff-ng --in eth0 --out eth1 --silent --bind-cpu 0 -J --type host\n" " netsniff-ng --in eth1 --out /opt/probe/ -s -m --interval 100MiB -b 0\n" " netsniff-ng --in vlan0 --out dump.pcap -c -u `id -u bob` -g `id -g bob`\n" -- 2.1.3 -- You received this message because you are subscribed to the Google Groups "netsniff-ng" group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.