Re: [Wireshark-users] View Filter - Capture Filter
On Thu, Oct 26, 2006 at 04:49:45PM +1000, [EMAIL PROTECTED] wrote: Cheers, I had tried using 'tcp port 389' but in needing to do a 24hr capture resulted in a lot of info. Even when splitting the data amongst multiple files resulted in 10Mb x 260 files. Opening this many files would be too much. I'm not sure of what the maximum file size WireShark can handle in opening, may give 150Mb a go instead of 10Mb multiple file sizes. This page gives some tips on improving performance when using large capture files: http://wiki.wireshark.org/Performance The size of capture file supported is only limited by the amount of RAM you have and CPU speed to process all of the packets. I don't think there is an official upper limit. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] View Filter - Capture Filter
Stephen Fisher wrote: On Thu, Oct 26, 2006 at 04:49:45PM +1000, [EMAIL PROTECTED] wrote: Cheers, I had tried using 'tcp port 389' but in needing to do a 24hr capture resulted in a lot of info. Even when splitting the data amongst multiple files resulted in 10Mb x 260 files. Opening this many files would be too much. I'm not sure of what the maximum file size WireShark can handle in opening, may give 150Mb a go instead of 10Mb multiple file sizes. This page gives some tips on improving performance when using large capture files: http://wiki.wireshark.org/Performance The size of capture file supported is only limited by the amount of RAM you have and CPU speed to process all of the packets. I don't think there is an official upper limit See: http://wiki.wireshark.org/KnownBugs/OutOfMemory Regards, ULFL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] View Filter - Capture Filter
Hello Steven, [EMAIL PROTECTED] 10/26/06 2:49 AM Quoting Stephen Fisher [EMAIL PROTECTED]: Cheers, I had tried using 'tcp port 389' but in needing to do a 24hr capture resulted in a lot of info. Even when splitting the data amongst multiple files resulted in 10Mb x 260 files. Opening this many files would be too much. I'm not sure of what the maximum file size WireShark can handle in opening, may give 150Mb a go instead of 10Mb multiple file sizes. This is where the WireShark command line utilities (tshark, and mergecap specifically) really come in handy! You have a large set of (relatively large) capture files. You can use the tshark utility with your desired display filter (ldap.authentication == 0) to easily select out a subset of the frames from each of the orginal trace files and then write this data to a new (filtered) trace files. Using mergecap you can then combine the various filtered trace files into larger trace files for subsequent analysis within WireShark itself. Assuming you have cmd line environment that allows one to easily iterate (loop) across a set of files you could something like the following: # # In a sh/ksh/bash like environment the following (untested) # shell commands would do the following: # # 1) create a new folder called filtered. # # 2) Execute tshark for each file found in the current directory # whose name begins with myOriginalTraces and ends with # pcap. Tshark will use the display filter 'ldap.authentication == 0' # to select out a specific subset of frames from the current # trace file and write the filtered results to a new trace. The # new trace file will have the same name as the original trace # file but will be located in the ./filtered folder. # mkdir filtered for i in myOriginalTraces*.pcap do tshark -r $i -R 'ldap.authentication == 0' -w ./filtered/$i done # # end of script. # In the worst case you can construct and execute a simple batch file that accomplishes the same thing... mkdir filtered tshark -r myOriginalTrace01.pcap -R 'ldap.authentication == 0' -w ./filtered/myOriginalTrace01.pcap tshark -r myOriginalTrace02.pcap -R 'ldap.authentication == 0' -w ./filtered/myOriginalTrace02.pcap tshark -r myOriginalTrace03.pcap -R 'ldap.authentication == 0' -w ./filtered/myOriginalTrace03.pcap [snip] Afterwards you can then use the mergecap utility to combine these newly generated (and filtered) trace files into convenient sized units. I hope this helps. Jim Young ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] View Filter - Capture Filter
Anybody knows what the Capture Filter equivalent is of the following View Filter: ldap.authentication == 0 I am basically trying to whittle down my capture to simple authentication requests over LDAP (389) as part of an investigation into using LDAPS. TIA ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] View Filter - Capture Filter
On Thu, Oct 26, 2006 at 02:33:19PM +1000, [EMAIL PROTECTED] wrote: Anybody knows what the Capture Filter equivalent is of the following View Filter: ldap.authentication == 0 I am basically trying to whittle down my capture to simple authentication requests over LDAP (389) as part of an investigation into using LDAPS. Unfortunately, there is no way to get that much detail in a capture filter. The best you can do is set the capture filter to only capture LDAP traffic with tcp port 389. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users