[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-onion
Subject:    Re: [security-onion] PCAP
From:       jswan <sanjuanswan () gmail ! com>
Date:       2015-05-29 2:32:31
Message-ID: 31e5bbb8-c7de-4ed1-9e91-7c543f0e6b66 () googlegroups ! com
[Download RAW message or body]


Here's one way I do this. From /nsm/.../dailylogs:

find [your find args here] | xargs -I {} tcpdump -r {} host a.b.c.d -w \
/tmp/{}-extracted.pcap

cd /tmp
mergecap -w all.pcap *extracted.pcap

Now your aggregated FPC is in all.pcap.

You can use the arguments to the find command to grab all the FPC files in the time \
range that interests you. You could also use a more complex BPF than "host a.b.c.d" \
if you need to.

-- 
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
http://groups.google.com/group/security-onion. For more options, visit \
https://groups.google.com/d/optout.



[prev in list] [next in list] [prev in thread] [next in thread]