NAME
recs-fromtcpdump
recs-fromtcpdump --help-all
Usage: recs-fromtcpdump <file1> <file2> ...
Runs tcpdump and puts out records, one for each packet. Expects pcap files.
Will put the name of the originating capture file in the 'file' field.
Will parse packet types: ethernet, ip, udp, arp, tcp The type key will
indicate the highest level parsed. DNS information will be parsed for TCP or
UDP packets that are from or to port 53. The parsed representation of the
packet for each valid level will be placed in the corresponding key. For
instance, for a tcp packet, there will be information in the keys 'ethernet',
'ip', and 'tcp'
By default, data output is suppressed due to poor interaction with
terminal programs.
Flags will be parsed into hash of strings
Possible IP flags: congestion, dont_fragment, more_fragments
Poassible TCP flags: ACK, CWR, ECE, FIN, PSH, RST, SYN, URG
ARP opcodes will be matched
Possible opcodes: ARP_REPLY, ARP_REQUEST, RARP_REPLY, RARP_REQUEST
Creating a pcap file:
Run a tcpdump command with -w FILE to produce a pcap file. For instance: sudo
tcpdump -w /var/tmp/capture.pcap
Optionally, include all the data and timing information: sudo tcpdump -w
capture.pcap -s4096 -S -tt
See 'man tcpdump' for more information.
Arguments
--data Include raw data bytes of deepest packet level
--filename-key|fk <keyspec> Add a key with the source filename (if no
filename is applicable will put NONE)
Help Options:
--help This help screen
Examples
Get records for all packets
recs-fromtcpdump capture.pcapSEE ALSO
See App::RecordStream for an overview of the scripts and the system
Run
recs examplesor see App::RecordStream::Manual::Examples for a set of simple recs examplesRun
recs storyor see App::RecordStream::Manual::Story for a humorous introduction to RecordStreamEvery command has a
--helpmode available to print out usage and examples for the particular command, just like the output above.