So I from CAIDA's website to find a 2 g pcap file,
There was software can't read!!
I use is scapy, to read it only once all read the package in the pcap, or read before n rdpcap (" XXX. Pcap ", n)
One-time read it out, I ran an hour don't respond, read n can before, but after reading the previous n, n + 1 how to start to read n?
And n before you read, may be only one part of the full flow, can't analysis,
The idea is to filter the pcap file, I get the complete a flow,
Internet search tshark commands, use it to filter a pcap file, the result... Another hour passed, and still didn't finish the filter,
And I don't know whether it is still in the filter, or have collapsed,,
want to ask is there a better way, from a large pcap file filter out I want to flow,,
(wireshark open large pcap file is ok, speed is also good, but also can filter, it is how to do,,)
http://blog.csdn.net/dog250/article/details/52134146, a method is given in this article feel that I can have a try, but is there a easier way?
CodePudding user response:
Wireshark how to filter the existing pcap data set? In CIADA I download a pcap data set, the file is too large to 1.6 G, the default open way is to use Wireshark, but open also can't open, the footprint is too big, notebook crash directly, with senior sincerity to ask you a dog,CodePudding user response:
The import DPKT
The from scapy import *
F=open (' file_name. Pcap ', 'rb')
Pcap=DPKT. Pcap. Reader (f)
For ts, buf in pcap:
The eth=DPKT. Ethernet. Ethernet (buf)
Print (STR (eth. Data))