Thanks - actually your script helped me by reminding me of the "-R"
option for tethereal, which was the missing piece of the puzzle ==>
light bulb came on!
In my case your exact concept won't be applicable, as my traffic is
almost exclusively HTTP, but it should be a no brainer now to run a
first pass with tethereal, through the big file, with a read (-R)
filter isolating - let's say - separate hosts and "SYN" only flags,
then piping the output through an "awk-printing" to obtain only the
frame numbers, then run a second pass through the big capture file,
with editcap and output files based on sequences of frame numbers as
determined above, in order to obtain manageable sized slice files,
based on whole traffic having happened between some logically
determined reference points (in this case various hosts initializing
communication).
NOTE: One other reson for not isolating/slicing the capture file by
protocol would be to keep everything (all types of traffic) happening
between two reference points in time (in this case frame numbers) in
one file, as this is what I will be trying to further analyze.
Thx again,
Stef
On Thu, 14 Oct 2004 10:35:08 +1000, Steve Abrahall <sa@xxxxxxxxxxxxxxxx> wrote:
>
>
> Not quite sure if this is what your after but it may be worth having a
> look at
> If your comfortable with working with unix type operating systems and
> shell scripting
>
> This is a script I wrote for osX it could be moded for other unix
> platforms
>
> http://wiki.ethereal.com/osXextraction
>
> HTH
>
> Steve
>
>
