Every so often I need to extract a subset of traffic from a set of rolling timestamped pcap files. One common place I do this is with
Security Onion; one of the great features of SO is its full-packet-capture feature: you can easily pivot from Snort, Suricata, or Bro logs to a full packet capture view, or download the associated pcap file.
But what if you don't have an associated alert or Bro log entry? Or if you're doing pcap on some system that's not as user-friendly as Security Onion, but nonetheless supports rolling captures?
The way I usually do this is with
find and
xargs. Here's an example of my most common workflow, using timestamps as the filtering criteria for
find:
> find . -newerct "16:07" ! -newerct "16:10" | xargs -I {} tcpdump -r {} -w /tmp/{} host 8.8.8.8
> cd /tmp
> mergecap -w merged.pcap *.pcap
Translated:
- Find all files in the current directory created after 16:07 but not created after 16:10. This requires GNU find 4.3.3 or later. It supports many different time and date formats.
- Using xargs, filter each file with the "host 8.8.8.8" BPF expression and write it to /tmp with the same filename.
- Merge all the .pcap files in /tmp into merged.pcap.
You can easily modify this workflow to fit other use cases.