0

I use Moloch for a NDR and have it save in 10G pcaps, needless to say there are alot. When i try to parse certain data from the pcaps via ngrep it only lets me parse one at a time. If i use a simple ngrep with wildcard I get pcap compile: syntax error. 

ngrep -I /data/moloch/raw/*.pcap -W none 'host 192.168.0.101' -O /data/moloch/parsed.pcap

if i use 

for file in ls -1 /data/moloch/raw/*.pcap' do nice -n 10 ngrep -O /data/moloch/parsed.pcap -W none 'host 192.168.0.101' done

it throws up an expected "do" command. sorry im sure it's a simple question but i'm just starting to use linux and ANY help I will be very much greatful.

Problematiq
  • 1
  • 2
  • You should probably remove the "Fixed, Created a scrip and these are the changes." and the commands after it from your question and paste all that into an answer, so that other people looking for an answer to that question see that it's answered. –  Mar 23 '16 at 17:15
  • Thank you will do. – Problematiq Mar 23 '16 at 21:39

1 Answers1

0

Fixed the problem!

cd /data/moloch/raw
for file in `ls -1 *.pcap`
do
   nice -n 10 ngrep -I $file -q ip host 192.168.0.101 -O /data/moloch/save/$file
done

Had to have it write a pcap file for every read file due to the fact you cannot pipe the output into a pcap format, and i have to have it in that format. So no appending existing files. when it is all said and done I will remove all pcaps with no data then use mergecap and create 1 pcap.

Problematiq
  • 1
  • 2