Fortunately in Linux it’s easy to create a frequency table. That means we would not have all that many lines to contend with.
That is, a simple table that depicts the frequency of a given packet length–since there is only going to be around 1500 different lengths based on the definition of Ethernet. Suppose we want to summarize the data for efficiency, and then load it on-demand as a frequency table rather than a line-by-line frame count file. It should be apparent that there aren’t 8 million possible lengths of an Ethernet frame and therefore the data can be summarized. We would like to load the data into a data analysis tool such as R. This will result in a very large and unwieldy file: The above tshark command populates the file length_counts.txt with the length of each Ethernet frame.
In this case we use a PCAP file (maccdc2012) that is publicly available on the web- this one was created from a hacking competition. Tshark -nr maccdc2012_00000.pcap -T fields -e frame.len > length_counts.txt Here is an example set of commands used to derive data from a PCAP using tshark–in this case the frame length. Remember that in the Wireshark family that the dumpcap utility used alone is the least lossy and least resource intensive tool to capture with. If the goal is to troubleshoot and trace out individual conversations keep in mind the loss rate that might be involved and consider filters: if there is a need to capture much more than a fraction of a 1GbE or 10GbE, then a hardware capture tool may be necessary to avoid significant capture loss. When capturing data in bulk to profile conversations you may not care if you lose a small percentage of packets. An advantage of tshark lies in its quick ability to glean out statistics and save the data to csv files.
Data Analysis platforms such as R and Pandas can be helpful as well Packet Capture files are usually viewed and manipulated with the Wireshark GUI, but one can also use tshark–the command line utility that is part of Wireshark. Examining raw capture data in terms of PCAP files can be facilitated with the help of a few common and freely available tools. Understanding network traffic flows is a multifaceted subject involving potentially many different tools and utilities.
0 kommentar(er)
