<body><script type="text/javascript"> function setAttributeOnload(object, attribute, val) { if(window.addEventListener) { window.addEventListener('load', function(){ object[attribute] = val; }, false); } else { window.attachEvent('onload', function(){ object[attribute] = val; }); } } </script> <div id="navbar-iframe-container"></div> <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script> <script type="text/javascript"> gapi.load("gapi.iframes:gapi.iframes.style.bubble", function() { if (gapi.iframes && gapi.iframes.getContext) { gapi.iframes.getContext().openChild({ url: 'https://www.blogger.com/navbar.g?targetBlogID\x3d14658917\x26blogName\x3dWhat+Would+You+Say+It+Is+You+Do+Here?\x26publishMode\x3dPUBLISH_MODE_HOSTED\x26navbarType\x3dBLUE\x26layoutType\x3dCLASSIC\x26searchRoot\x3dhttp://blog.vitriol.net/search\x26blogLocale\x3den_US\x26v\x3d2\x26homepageUrl\x3dhttp://blog.vitriol.net/\x26vt\x3d-1706885970164302789', where: document.getElementById("navbar-iframe-container"), id: "navbar-iframe" }); } }); </script>

Saturday, March 01, 2008

Viewing Multiple Capture Files With tcpdump

In the course of some troubleshooting yesterday, I had to capture some packets on our external Internet interface. In order to keep the files manageable, I set up wireshark to use 10 megabyte files. That wasn't the best idea, since it resulted in a new file every 8-10 seconds, and overwhelmed this little Thinkpad I use. Oh, well.

In the end, one of the things I wanted to see is how many ICMP unreachable messages were sent by the firewall in that time frame. I have 530 10 megabyte files from the capture, and I really didn't want to open every one in wireshark and then scroll down the packet list, or even filter for unreachables. I tried a couple of command-line options with tcpdump, using xargs and bash scripts, but these options were either too complicated for regular use, or just didn't work.

In the end, I stumbled on mergecap, a command-line utility included with wireshark. Its intended purpose is to, surprise, merge a bunch of capture files, but I didn't want a 530 megabyte capture file to then work with, either. It turns out that you can use stdin and stdout to have mergecap output to stdout, and have tcpdump grab it for immediate display.

In the end, I came up with:

 mergecap -w - capfile* | tcpdump -n -tttt -r - | grep -i unreachable

That's quick and easy enough to use all the time.


Blogger Jamie Levy said...

I think tcpdump would have been much simpler. If you are looking for *any* icmp packets, you can simply use:

tcpdump -xttttn -i [interface] icmp

and that will spit out all icmp packets.

If you want packets with a particular code you can do that as well:

tcpdump -xttttn -i [interface] icmp[1] == 3

This spits out all icmp packets that are destination unreachable.

tcpdump -xttttn -i [interface] icmp[1] == 0

This spits out all icmp echo reply packets (when you ping something).

icmp[1] means look at the 2nd byte, which is where the codes are stored.

Hope this helps.

9:12 AM  

Post a Comment

<< Home