10

Is there a possibility to filter tcpdump (live or after creating a dump) based on tcp connection time (connection duration)?

I'm recording http json rpc traffic. I want to record only connections that are longer than lets say 1000 ms.

In wireshark there is tool in Menu->Statistics->Conversations (TCP tab) and there i can sort by "Duration". But i want to record (or filter) long lived connections before (not in wireshark).

In pseudo commands I want to do something like this:

tcpdump -i eth0 port 80 and connectionTime>1000ms -w data.pcap

or after recording:

cat data.pcap | SOMETOOL -connectionTime>1000ms > dataLongConnections.pcap

SOMETOOL must export filtered data to format that Wireshark will understand. Because after filtering I want to analyze that data in Wireshark.

How I can do this?

Tereska
  • 751
  • 1
  • 7
  • 25
  • Did you try SplitCap as suggested by kauppi? You can't filter for session duration with tcpdump, as it's not a stateful filter, SplitCap at first glance seems to provide what you need to get started. – Tom Regner May 24 '13 at 14:54
  • To add onto what Tom Regner said: `tcpdump` doesn't keep track of session duration. The reason `Wireshark` is able to show you the information is because `Wireshark` itself is keeping track of the session durations, not simply parsing `tcpdump`. – Vilhelm Gray May 24 '13 at 18:55

2 Answers2

2

SplitCap might work for you. It will take PCAP as an input and output separate PCAPs for each TCP/UDP session. After the split you could filter from the output PCAPs the interesting ones to keep.

kauppi
  • 16,966
  • 4
  • 28
  • 19
1

You need to consider your traffic at flow level instead of packet level.

If you worked with NetFlow you could use flow-tools and flow-nfilter to filter flows by duration. So you could convert your pcap to NetFlow and later filter it.

The drawback is that at the output you get NetFlow, not PCAP. For building some stats it is sufficient, but to check packets - not certainly.

You can also build your own tool with libpcap in C (hard way) or scapy in python (easier way). The latter option shouldn't be too difficult (provided you work with python)

Community
  • 1
  • 1
Jakub M.
  • 32,471
  • 48
  • 110
  • 179