A Ring Buffer addresses a common issue many analysts encounter when capturing packets: huge traces. Due to increased bandwidth and large drives, it doesn’t take much to create 500 MB trace file. The problem with a 500 MB, or larger trace is opening and working with the file in Wireshark. Filters and statistic reports can take minutes to create. This is why I recommend you take large trace files and split them into smaller trace files.
Back to Ring Buffers: When you use a Ring Buffer you can define how many files you want to capture and various parameters that affects the file size (i.e., number of packets, bytes, and time). At the end of this process you end up with multiple files much like the scenario I previously mentioned.
In this article and video, I share a tip on how you can easily manage these files using built in Microsoft commands. No third-party software needs to be downloaded or purchased. The only thing you need to check is that Wireshark is in your path.
In this example I put all the files in a folder and create a sub folder titles “new.” Before getting into the command information, I would suggest you test your commands without the –w portion so the results display on the screen as a test before creating files.
I use the following command to filter many files and create new filtered trace files. The first command is:
for %a in (*.pcapng) do tshark -r %a -Y dns -w new\new_dns_%a
In this command:
- %a represents the files in that folder
- *.pcapng defines the patter of the existing trace files
- do executes an external program
- tshark –r %a reads the current file in the folder
- -Y dns uses the Wireshark display filter syntax to define a criteria
- -w new\new_dns_%a creates a file in the new folder and every filename will start with new_dns
The second example is much like the first one except I filter on IP address, not protocol. The command is:
for %a in (*.pcapng) do tshark -r %a -Y ip.addr==220.127.116.11 -w new\new_8_8_8_8_%a