From: Vadim Kochan <vadi...@gmail.com>
It might be useful to filter out interesting traffic
from input pcap to output pcap file which will contain only
filtered packets:
$ netsniff-ng -i input.pcap -o output.pcap ip src 192.168.1.198
Now it is possible by specifying output pcap file with ".pcap"
extension, otherwise the trafgen file will be generated as by default.
Signed-off-by: Vadim Kochan <vadi...@gmail.com>
---
netsniff-ng.8 | 5 +++--
netsniff-ng.c | 23 +++++++++++++++++++++--
2 files changed, 24 insertions(+), 4 deletions(-)
diff --git a/netsniff-ng.8 b/netsniff-ng.8
index b6f129a..0884959 100644
--- a/netsniff-ng.8
+++ b/netsniff-ng.8
@@ -78,8 +78,9 @@ file that should not have the default pcap type (0xa1b2c3d4),
the additional
option \[lq]\-T\[rq] must be provided. If a directory is given, then, instead
of a
single pcap file, multiple pcap files are generated with rotation based on
maximum file size or a given interval (\[lq]\-F\[rq] option). A trafgen
configuration
-file can currently only be specified if the input device is a pcap file. If
-stdout is given as a device, then a trafgen configuration will be written to
+file can currently only be specified if the input device is a pcap file. To
+specify output device as pcap file the output file name must contain ".pcap"
extension.
+If stdout is given as a device, then a trafgen configuration will be written to
stdout if the input device is a pcap file, or a pcap file if the input device
is a networking device.
.PP
diff --git a/netsniff-ng.c b/netsniff-ng.c
index 477c81d..e73c1a8 100644
--- a/netsniff-ng.c
+++ b/netsniff-ng.c
@@ -528,6 +528,8 @@ static void read_pcap(struct ctx *ctx)
struct sock_fprog bpf_ops;
struct frame_map fm;
struct timeval start, end, diff;
+ bool is_out_pcap = ctx->device_out && strstr(ctx->device_out, ".pcap");
+ const struct pcap_file_ops *pcap_out_ops = pcap_ops[PCAP_OPS_RW];
bug_on(!__pcap_io);
@@ -537,7 +539,8 @@ static void read_pcap(struct ctx *ctx)
if (ctx->pcap == PCAP_OPS_MM)
ctx->pcap = PCAP_OPS_SG;
} else {
- fd = open_or_die(ctx->device_in, O_RDONLY | O_LARGEFILE |
O_NOATIME);
+ fd = open_or_die(ctx->device_in, O_RDONLY | O_LARGEFILE |
+ O_NOATIME);
}
if (__pcap_io->init_once_pcap)
@@ -574,6 +577,13 @@ static void read_pcap(struct ctx *ctx)
}
}
+ if (is_out_pcap) {
+ int rc = pcap_out_ops->push_fhdr_pcap(fdo, ctx->magic,
+ ctx->link_type);
+ if (rc)
+ panic("Error writing pcap header!\n");
+ }
+
drop_privileges(ctx->enforce, ctx->uid, ctx->gid);
printf("Running! Hang up with ^C!\n\n");
@@ -612,8 +622,16 @@ static void read_pcap(struct ctx *ctx)
dissector_entry_point(out, fm.tp_h.tp_snaplen,
ctx->link_type, ctx->print_mode);
- if (ctx->device_out)
+ if (is_out_pcap) {
+ int pcap_len = pcap_get_length(&phdr, ctx->magic);
+ int wlen = pcap_out_ops->write_pcap(fdo, &phdr,
+ ctx->magic, out, pcap_len);
+
+ if (unlikely(wlen != (int)pcap_get_total_length(&phdr,
ctx->magic)))
+ panic("Write error to pcap!\n");
+ } else if (ctx->device_out) {
translate_pcap_to_txf(fdo, out, fm.tp_h.tp_snaplen);
+ }
if (frame_count_max != 0) {
if (ctx->tx_packets >= frame_count_max) {
@@ -1132,6 +1150,7 @@ static void __noreturn help(void)
" netsniff-ng --in wlan0 --rfraw --out dump.pcap --silent
--bind-cpu 0\n"
" netsniff-ng --in dump.pcap --mmap --out eth0 -k1000 --silent
--bind-cpu 0\n"
" netsniff-ng --in dump.pcap --out dump.cfg --silent --bind-cpu
0\n"
+ " netsniff-ng --in dump.pcap --out dump2.pcap --silent tcp\n"
" netsniff-ng --in eth0 --out eth1 --silent --bind-cpu 0 -J
--type host\n"
" netsniff-ng --in eth1 --out /opt/probe/ -s -m --interval 100MiB
-b 0\n"
" netsniff-ng --in vlan0 --out dump.pcap -c -u `id -u bob` -g `id
-g bob`\n"
--
2.1.3
--
You received this message because you are subscribed to the Google Groups
"netsniff-ng" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to netsniff-ng+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
