I have some PCAP files from which I'm trying to extract metadata. I am doing this using tshark, opening the file, extracting a couple dozen fields, then writing the table to disk. I've noticed that this process can be pretty time consuming, sometimes up to 30 minutes for a single PCAP file. I am performing reverse DNS on the data, using the default settings (
-N dmN) and I have the same reverse DNS settings in Wireshark. I understand that reverse DNS is a fairly time-consuming process relative to other processes that tshark/Wireshark is performing. However, when opening the same file in Wireshark and in tshark, Wireshark loads the file in a matter of seconds, while tshark will take minutes. My tshark command is:
tshark -r my_pcap_file.pcap \
-2 \
-T fields \
-E separator=/t \
-E header=y \
-E quote=d \
-e frame.time_epoch \
-e frame.len \
-e frame.protocols \
-e _ws.malformed \
-e _ws.col.Protocol \
-e _ws.col.Length \
-e ip.rec_rt \
-e ip.src \
-e ip.dst \
-e ip.src_host \
-e ip.dst_host \
> my_pcap_file.tsv
Asked by CopyOfA
(123 rep)
Jan 10, 2024, 03:46 PM
Last activity: Jan 11, 2024, 07:20 PM
Last activity: Jan 11, 2024, 07:20 PM