Sunday, February 26, 2006

Tcpdump - Samurai Slicing

It happens when you have logged full network content data with tcpdump, where you have very big size pcap file such as 2GB or maybe 10GB, and you try to load it to the ethereal so that you can analyze but ends up your ethereal hangs, I think most people won't have enough RAM for that kind of situation, there we need to slice the pcap file to pieces so that we can work with ethereal or other analyzing tools, there's third party tool like tcpslice. However here I just want to use tcpdump and here's how I do it.

I log the traffic at first, after that I just terminate it after a while and it's size is around 2GB.

shell>tcpdump -qeXX -tttt -s 1550 -n -w /tmp/trace_exploit

shell>cd /tmp

shell>ls -la trace_exploit
-rwxrwxrwx 1 root root 1888546816 Feb 26 03:18 trace_exploit*

shell>file trace_exploit
trace_exploit: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 1550)

I create the short shell script name below and put it to /usr/local/bin to ease the creation of blank trace files for tcpdump to write with full permission. You will get an permission denied error if you don't create the blank trace files manually. Here's the shell script(works with bash and ksh),


# Create the directory to store the trace file.

echo "Which directory you want to store the trace file?"
read directory

mkdir $directory

# Create file with the sequence of number behind it.

for (( i = 1; i <= 10; i++ ))
touch $directory/trace_$i
chmod 777 $directory/trace_$i

Now run the shell script to create a directory that we want to store the blank trace files with the sequence number. Don't forget to chmod +x the shell script :)

Which directory you want to store the trace file?

Run tcpdump with -C 200 which will cut pcap file size down to 200MB and then write to the blank trace file, it starts counting at 2, that's why we specify the first file tcpdump writes to is trace_1, then once it reaches 200MB, it will write to trace_2 and follow in sequence. Once finished, you will see all the files in 200MB size except the last part which is less than 200MB, we will have trace_1 till trace_10.

shell>tcpdump -C 200 -r /tmp/trace_exploit -w /tmp/pcap_trace/trace_1

shell>ls -la /tmp/pcap_trace/
drwxr-xr-x 2 root root 4096 Feb 26 10:24 ./
drwx--x--x 10 root root 4096 Feb 26 09:20 ../
-rwxrwxrwx 1 root root 200001144 Feb 26 09:37 trace_1*
-rwxrwxrwx 1 root root 88539409 Feb 26 09:39 trace_10*
-rwxrwxrwx 1 root root 200001464 Feb 26 09:37 trace_2*
-rwxrwxrwx 1 root root 200000902 Feb 26 09:37 trace_3*
-rwxrwxrwx 1 root root 200001074 Feb 26 09:38 trace_4*
-rwxrwxrwx 1 root root 200000305 Feb 26 09:38 trace_5*
-rwxrwxrwx 1 root root 200000258 Feb 26 09:38 trace_6*
-rwxrwxrwx 1 root root 200000939 Feb 26 09:38 trace_7*
-rwxrwxrwx 1 root root 200000153 Feb 26 09:38 trace_8*
-rwxrwxrwx 1 root root 200001220 Feb 26 09:38 trace_9*
-rwxrwxrwx 1 root root 1888546816 Feb 26 03:18 trace_exploit*

By now you should be able to load the smaller size of pcap file to your ethereal, remember to tweak the shell script to fit your need especially how many trace files expected to be created based on the total pcap file size.

Cheers (:])

p/s: In my blog, command executaion in shell always in bold and config file or shell script content always in italic.


Anonymous said...

gr8 artilce.. is there anyway i can make contact with you, like through email or msn..

geek00L said...

Thx. As always, you can find me at geek00L[at], IM only be told through email :] or you may find me at freenode irc channel - #snort-gui or #myoss.