Hi all,
I use FreeBSD 8.0 64 bits. I record network traces on my network this
way with dumpcap :
dumpcap -i bridge0 -w /store/pcap/fede/capture.pcap -b filesize:300000
-b files:1500
Interface bridge0 is composed of em1 en em0 which are connected to a
Network TAP. It works well and I developped a small shell script that
select a subset of files given a time interval.
I tried to send this subset of pcap files to a named pipe like this :
cat fic1.pcap fic2.pcap ... > /my/named/pipe
With a tshark on the named pipe :
tshark -i /my/named/pipe -w /store/pcap/dns.pcap 'dst port 53'
With a "filter capture" to get only DNS traffic in dns.pcap
And when I re read this pcap like this :
tshark -r /store/pcap/dns.pcap
I got all the traffic (not only dns). I also tried with a "read filter" :
tshark -i /my/named/pipe -w /store/pcap/dns.pcap -R "udp.port==53"
It is all the same in the resulting pcap. Did I missed something about
filter ?
Thanks for your help,
--
Nicolas Greneche - RSSI et Sysadmin
Centre de Ressources Informatiques (CRI)
Doctorant au sein du projet SDS - www.sds-project.fr
Mail : nicolas.greneche_(at)_univ-orleans.fr
GPG : http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5FEBD0EF
Universite d'Orleans Web : http://blog.garnett.fr
Batiment 3IA - 2e etage Tel : 02 38 49 25 26
6 rue Leonard de Vinci
BP 6102 45061 ORLEANS Cedex 2
