Managing Large Libpcap Files

WhiteFennec · 01-22-2005

Greetings.

I am doing my sniffing with tcpdump on my wireless interface (orinoco) on my own network (5 clients and an AP) but I'm located in a downtown commercial area. As a result, I pick up a HUGE amount of traffic, most of which I do not want. I easily have 2 gig libpcap files all over the place, running aircrack against them as 'aircrack *.pcap' to make it easier on myself.

This is beginning to cause problems both with the attention huge pcap files taking up valuable computer space as well as wanting to combine all the valuable data into a single file to try weplab as well.

I know I can use mergepcap to combine log files into one, but right now I've having trouble extracting what data aircrack and weplab would consider "valuable". I was thinking about doing some creative expression writing in ethereal to get the traffic I want, but when I try to load files of this size in ethereal, it's a nightmare since a good deal of the time the program stops responding entirely, so I never ever really got to any writing of expressions.

Does anyone have any idea how I can extract just the packets from these monster sized libpcap files for use with aircrack and/or weplab?

Thanks to those that post a reply ahead of time!

Re@liTy · 01-25-2005

I know it doesn't help you with your large pcap extraction problem, but have you tried only capturing the first X bytes of each packet, so as to keep the file size way down in the first place??
Most capture apps support this option.
Most WEP cracking apps only need the 1st X bytes of data for each packet anyway.

KoreK · 01-25-2005

man tcpdump

tcpdump -r <infile> -w <outfile> -s <snaplen> -C <filesize>

WhiteFennec · 01-26-2005

Thank you for your replies. I will also post a solution I found.
There is a package called tethereal for Debian that I used, which is described as a console line ethereal.

I basically ran this:
tethereal -r bitchinglyhuge.pcap -w little.pcap wlan.fc.subtype != 8
This stripped beacons.
Then, I could also do expressions to cut out everything that wasn't my own bssid.

My 2gig pcap files ended up around 300 mb, very nicely.

01-22-2005	#1 (permalink)
WhiteFennec Registered Member Join Date: Jan 2005 Posts: 2	Managing Large Libpcap Files Greetings. I am doing my sniffing with tcpdump on my wireless interface (orinoco) on my own network (5 clients and an AP) but I'm located in a downtown commercial area. As a result, I pick up a HUGE amount of traffic, most of which I do not want. I easily have 2 gig libpcap files all over the place, running aircrack against them as 'aircrack *.pcap' to make it easier on myself. This is beginning to cause problems both with the attention huge pcap files taking up valuable computer space as well as wanting to combine all the valuable data into a single file to try weplab as well. I know I can use mergepcap to combine log files into one, but right now I've having trouble extracting what data aircrack and weplab would consider "valuable". I was thinking about doing some creative expression writing in ethereal to get the traffic I want, but when I try to load files of this size in ethereal, it's a nightmare since a good deal of the time the program stops responding entirely, so I never ever really got to any writing of expressions. Does anyone have any idea how I can extract just the packets from these monster sized libpcap files for use with aircrack and/or weplab? Thanks to those that post a reply ahead of time!

01-25-2005	#2 (permalink)
Re@liTy Registered Member Join Date: Jul 2004 Location: Brighton - U.K. Posts: 65	I know it doesn't help you with your large pcap extraction problem, but have you tried only capturing the first X bytes of each packet, so as to keep the file size way down in the first place?? Most capture apps support this option. Most WEP cracking apps only need the 1st X bytes of data for each packet anyway. __________________ I started out with nothing..............and I've still got most of it left.....

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

01-25-2005	#3 (permalink)
KoreK Banned in DC Join Date: Jul 2004 Posts: 102	man tcpdump tcpdump -r <infile> -w <outfile> -s <snaplen> -C <filesize>

01-26-2005	#4 (permalink)
WhiteFennec Registered Member Join Date: Jan 2005 Posts: 2	Thank you for your replies. I will also post a solution I found. There is a package called tethereal for Debian that I used, which is described as a console line ethereal. I basically ran this: tethereal -r bitchinglyhuge.pcap -w little.pcap wlan.fc.subtype != 8 This stripped beacons. Then, I could also do expressions to cut out everything that wasn't my own bssid. My 2gig pcap files ended up around 300 mb, very nicely.