Tuesday, July 14, 2015

Extracting Traffic from Rolling Capture Files

Every so often I need to extract a subset of traffic from a set of rolling timestamped pcap files. One common place I do this is with Security Onion; one of the great features of SO is its full-packet-capture feature: you can easily pivot from Snort, Suricata, or Bro logs to a full packet capture view, or download the associated pcap file.

But what if you don't have an associated alert or Bro log entry? Or if you're doing pcap on some system that's not as user-friendly as Security Onion, but nonetheless supports rolling captures?

The way I usually do this is with find and xargs. Here's an example of my most common workflow, using timestamps as the filtering criteria for find:

> find . -newerct "16:07" ! -newerct "16:10" | xargs -I {} tcpdump -r {} -w /tmp/{} host
> cd /tmp
> mergecap -w merged.pcap *.pcap

  1. Find all files in the current directory created after 16:07 but not created after 16:10. This requires GNU find 4.3.3 or later. It supports many different time and date formats.
  2. Using xargs, filter each file with the "host" BPF expression and write it to /tmp with the same filename.
  3. Merge all the .pcap files in /tmp into merged.pcap.
You can easily modify this workflow to fit other use cases.


theFlakes said...

Caught this on the SO mailing list. I had a shell script to automate some of this but the pulling of the information from the multiple snort files wasn't as nice as yours. thanks


Greg said...

Thanks for sharing! I've been trying to figure out how to do this!