Can I apply a filter to a trace file when using Windump
Hi friends,
I captured some packets and write them to a file with windump, the command is as follows
windump -i2 -w -s 1500 -w xxx.pcap
But when I tried to apply a filter(windump -r xxx.pcap ip[9] = 6) to the trace file, windump only reponded with "reading from file xxx.pcap, link-type EN10MB (Ethernet)", I have no idea what's wrong here? I can only apply a filter whiling capturing?
I've confirmed that there are tcp packets in the trace file and if I open it with Wireshark and apply a display filter "tcp" or "ip[9] == 6", it works perfectly.
Thanks in advance:)
I captured some packets and write them to a file with windump, the command is as follows
windump -i2 -w -s 1500 -w xxx.pcap
But when I tried to apply a filter(windump -r xxx.pcap ip[9] = 6) to the trace file, windump only reponded with "reading from file xxx.pcap, link-type EN10MB (Ethernet)", I have no idea what's wrong here? I can only apply a filter whiling capturing?
I've confirmed that there are tcp packets in the trace file and if I open it with Wireshark and apply a display filter "tcp" or "ip[9] == 6", it works perfectly.
Thanks in advance:)
Comments
-
JDMurray Admin Posts: 13,092 AdminI just tried to duplicate your command lines and found a redundant '-w' in your capture command that causes a syntax error. After taking that out it works fine for me to both create the pcap file and to display its contents using WinDump and that filter expression. I'm wondering if your standard output is being implicitly redirected somehow. Try explicitly redirecting the WinDump output to a file and check is the output is stored: windump -r xxx.pcap ip[9] = 6 > xxx.txt
-
chaser7783 Member Posts: 154kke, just did the same in tcpdump, I also get "reading from file xxx.pcap, link-type EN10MB (Ethernet)" which is normal, but look in the file xxx.txt. Nothing other than that should be written to the terminal b/c you have redirected all output to xxx.txt.
-
JDMurray Admin Posts: 13,092 AdminI wonder if it's a permission problem. You're not trying to write/read the pcap file from your System32 folder, are you? Open the command window using "Run as administrator" and try reading the pcap file using windump again.
-
kke Member Posts: 8 ■□□□□□□□□□chaser7783 Thanks, haha, sure I have checked the xxx.txt but it's empty unfortunately
@JDMurray, I work under Windows XP and my account is in the administrator user group so I really have no idea what's wrong. -
kke Member Posts: 8 ■□□□□□□□□□Hi chaser7783 and JDMurray, in order to ascertain whether the problem is caused by environment discrepancy or not, I have uploaded the xxx.pcap file to http://filebin.ca/13wkovgUA8pJ , please have a look:)
-
chaser7783 Member Posts: 154Ok I believe I see the issue, The captured traffic is PPP over ethernet which is encapsulated in the Ethernet header, so a byte offset of 9 alone wont work. You have to state it being PPPoe, much like you would vlan traffic. so the correct syntax would be: windump -nr xxx.pcap ' pppoes and ip[9] = 06' > xxx.txt
Sample payload:
0000 00 d0 b7 1b 8d 3e 3c 97 0e 5c cb 45 88 64 11 00
0010 4e 01 00 36 00 21 45 00 00 34 77 fb 40 00 80 06
0020 ab b8 0a c6 01 06 4a 7d 80 c7 d7 94 00 50 56 e2
0030 23 01 00 00 00 00 80 02 20 00 26 4c 00 00 02 04
0040 05 a0 01 03 03 08 01 01 04 02