-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathtcpslice.1
422 lines (422 loc) · 12.9 KB
/
tcpslice.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
.\" Copyright (c) 1991, 1996, 2000
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH TCPSLICE 1 "30 July 2020"
.SH NAME
tcpslice \- extract pieces of and/or merge together pcap files
.SH SYNOPSIS
.na
.B tcpslice
[
.B \-DdlhRrtv
] [
.B \-w
.I file
]
.br
.ti +9
[
.B \-s
.I types
[
.B \-e
.I seconds
] [
.B \-f
.I format
] ]
.br
.ti +9
[
.I start-time
[
.I end-time
] ]
.I file ...
.br
.ad
.SH DESCRIPTION
.LP
.I Tcpslice
is a program for extracting portions of packet-trace files generated using
.BR tcpdump (1)'s
.B \-w
flag.
It can also be used to merge together several such files, as discussed
below.
.LP
The basic operation of
.I tcpslice
is to copy to
.I stdout
all packets from its input file(s) whose timestamps fall
within a given range. The starting and ending times of the range
may be specified on the command line. All ranges are inclusive.
The starting time defaults
to the earliest time of the first packet in
any of the input files; we call
this the
.I first time.
The ending time defaults to ten years after the starting time.
Thus, the command
.I tcpslice trace-file
simply copies
.I trace-file
to \fIstdout\fP (assuming the file does not include more than
ten years' worth of data).
.LP
There are a number of ways to specify times. The first is using
Unix timestamps of the form
.I sssssssss.uuuuuu
(this is the format specified by \fItcpdump\fP's
.B \-tt
flag).
For example,
.B 654321098.7654
specifies 38 seconds and 765,400 microseconds
after 8:51PM PDT, Sept. 25, 1990.
.LP
All examples in this manual are given
for PDT times, but when displaying times and interpreting times symbolically
as discussed below,
.I tcpslice
uses the local timezone, regardless of the timezone in which the pcap
file was generated. The daylight-savings setting used is that which is
appropriate for the local timezone at the date in question. For example,
times associated with summer months will usually include daylight-savings
effects, and those with winter months will not.
.LP
Times may also be specified relative
to either the
.I first time
(when specifying a starting time)
or the starting time (when specifying an ending time)
by preceding a numeric value in seconds with a `+'.
For example, a starting time of
.B +200
indicates 200 seconds after the
.I first time,
and the two arguments
.B +200 +300
indicate from 200 seconds after the
.I first time
through 500 seconds after the
.I first time.
.LP
Times may also be specified in terms of years (y), months (m), days (d),
hours (h), minutes (m), seconds (s), and microseconds(u). For example,
the Unix timestamp 654321098.7654 discussed above could also be expressed
as
.B 1990y9m25d20h51m38s765400u.
2 or 4 digit years may be used; 2 digits can specify years from 1970 to
2069.
.LP
When specifying times using this style, fields that are omitted default
as follows. If the omitted field is a unit
.I greater
than that of the first specified field, then its value defaults to
the corresponding value taken from either
.I first time
(if the starting time is being specified) or the starting time
(if the ending time is being specified).
If the omitted field is a unit
.I less
than that of the first specified field, then it defaults to zero (1 for days).
For example, suppose that the input file has a
.I first time
of the Unix timestamp mentioned above, i.e., 38 seconds and 765,400 microseconds
after 8:51PM PDT, Sept. 25, 1990. To specify 9:36PM PDT (exactly) on the
same date we could use
.B 21h36m.
To specify a range from 9:36PM PDT through 1:54AM PDT the next day we
could use
.B 21h36m 26d1h54m.
.LP
Relative times can also be specified when using the
.I ymdhmsu
format. Omitted fields then default to 0 if the unit of the field is
.I greater
than that of the first specified field, and to the corresponding value
taken from either the
.I first time
or the starting time if the omitted field's unit is
.I less
than that of the first specified field. Given a
.I first time
of the Unix timestamp mentioned above,
.B 22h +1h10m
specifies a range from 10:00PM PDT on that date through 11:10PM PDT, and
.B +1h +1h10m
specifies a range from 38.7654 seconds after 9:51PM PDT through 38.7654
seconds after 11:01PM PDT. The first hour of the file could be extracted
using
.B +0 +1h.
.LP
Note that with the
.I ymdhmsu
format there is an ambiguity between using
.I m
for `month' or for `minute'. The ambiguity is resolved as follows: if an
.I m
field is followed by a
.I d
field then it is interpreted as specifying months; otherwise it
specifies minutes.
.LP
If more than one input file is specified then
.I tcpslice
merges the packets from the various input files into the single
output file. Normally, this merge is done based on the
value of the time stamps in the packets in the individual files.
(Tcpslice assumes that
.I within
each input file, packets are in time stamp order.)
If the
.B \-l
option is used, the value used for ordering is the time stamp of
a given packet minus the time stamp of the first packet in the
input file in which the given packet occurs.
.LP
When merging files, by default
.I tcpslice
will discard any
.I duplicate
packet it finds in more than one file. A duplicate is a packet
that has an identical timestamp (either relative or absolute) and
identical packet contents (for as much as was captured) as another
packet previously seen in a different file. Note that it is possible
for the network to generate true replicates of packets, and for
systems that can return the same timestamp for multiple packets,
these can be mistaken for duplicates and discarded. Accordingly,
.I tcpslice
will not discard duplicates in the same trace file. In addition,
you can use the
.B \-D
option to suppress any discarding of duplicates.
.SH OPTIONS
.LP
If any of
.BR \-R ,
.B \-r
or
.B \-t
are specified then
.I tcpslice
reports the timestamps of the first and last packets in each input file
and exits. Only one of these three options may be specified.
.TP
.B \-D
Do not discard duplicate packets seen when merging multiple trace files.
.TP
.B \-d
Dump the start and end times specified by the given range and
exit. This option is useful for checking that the given range actually
specifies the times you think it does. If one of
.BR \-R ,
.B \-r
or
.B \-t
has been specified then the times are dumped in the corresponding
format; otherwise, raw format (\fB\-R\fP) is used.
.TP
.B \-e
Specify a number of
.I seconds
to wait after the last packet was seen before considering a session
to be expired (default: 0 = do not expire inactive sessions). This
is only effective when the
.B \-s
option is used to track sessions.
.TP
.B \-f
Specify the name
.I format
of PCAP files to which each session will be extracted (default: NULL = do
not extract sessions to separate files). This is only effective when the
.B \-s
option is used to track sessions.
.TP
.B \-h
Print the tcpslice and libpcap version strings, print a usage message, and exit.
.TP
.B \-l
When merging more than one file, merge on the basis of
relative time, rather than absolute time.
Normally, when merging
files is done, packets are merged based on absolute time stamps. With
.B \-l
packets are merged based on the relative time between
the start of the file in which the packet is found and the time stamp
of the packet itself.
The time stamp of packets in the output file is calculated
as the relative time for the packet within its file plus
.I first time.
.TP
.B \-R
Dump the timestamps of the first and last packets in each input file
as raw timestamps (i.e., in the form \fI sssssssss.uuuuuu\fP).
.TP
.B \-r
Same as
.B \-R
except the timestamps are dumped in human-readable format, similar
to that used by
.BR date (1).
.TP
.B \-s
Enable session tracking for the specified
.I types
which is a comma-separated list of the following:
.RS
.TP
.B tcp
track all TCP connections
.TP
.B sip
track SIP-based VoIP calls, which may enable tracking of TCP
connections but only the ones that are related to SIP calls.
This feature is only available if tcpslice was linked against
Aymeric Moizard's GNU oSIP library; if not, install the latest
version of
.I libosip2
from https://www.gnu.org/software/osip/ and recompile tcpslice.
.TP
.B h323
track H.323-based VoIP calls, which may enable tracking of TCP
connections but only the ones that are related to H.323 calls.
This feature is only available if tcpslice was linked against
Objective Systems' Open H.323 library for C; if not, install the
latest version of
.I libooh323c
from https://sourceforge.net/projects/ooh323c/ and recompile tcpslice.
.PP
Session tracking altogether is only available if tcpslice was linked
against a recent version (>1.20) of Rafal Wojtczuk's Network Intrusion
Detection System library; if not, install the latest version of
.I libnids
from http://libnids.sourceforge.net/ and recompile tcpslice.
.RE
.TP
.B \-t
Same as
.B \-R
except the timestamps are dumped in
.I tcpslice
format, i.e., in the
.I ymdhmsu
format discussed above.
.TP
.B \-v
Turn on verbose mode. Currently this only affects session tracking (\fB\-s\fP)
messages: if specified at least once, sessions openings and closings
are displayed regardless of the time (by default the closings are only
displayed past
.IR end-time );
if specified at least twice, subsessions (sessions initiated by other
sessions) openings and closings are also displayed.
.TP
.B \-w
Direct the output to \fIfile\fR rather than \fIstdout\fP.
.SH "SEE ALSO"
.BR tcpdump (1)
.SH AUTHORS
The original author was:
.LP
Vern Paxson, of
Lawrence Berkeley Laboratory, University of California, Berkeley, CA.
.LP
It is currently being maintained by The Tcpdump Group.
.LP
The current version is available at:
.LP
.RS
.I https://github.com/the-tcpdump-group/tcpslice
.RE
.LP
.LP
The original distribution is available via anonymous ftp:
.LP
.RS
.I ftp://ftp.ee.lbl.gov/tcpslice-1.2a3.tar.gz
.RE
.SH BUGS
Please send problems, bugs, questions, desirable enhancements, etc. to:
.LP
.RS
.RE
.LP
Please send source code contributions as git pull requests through the
project page above.
.LP
An input filename that exactly matches the
.I sssssssss.uuuuuu
or the
.I ymdhmsu
format discussed above can be confused with a start/end time (regardless if
the date and the time are valid in the latter case). Such filenames can be
specified with a leading `./'; for example, specify the file `1976y07m04d'
as `./1976y07m04d' and `00000123' as `./00000123'. Alternatively, renaming
the files to `1976y07m04d.pcap' and `00000123.pcap' respectively would
resolve this ambiguity.
.LP
.I tcpslice
cannot read its input from \fIstdin\fP, since it uses random-access
to rummage through its input files.
.LP
.I tcpslice
refuses to write to its output if it is a terminal
(as indicated by
.BR isatty (3)).
This is not a bug but a feature,
to prevent it from spraying binary data to the user's terminal.
Note that this means you must either redirect \fIstdout\fP or specify an
output file via \fB\-w\fP.
.LP
.I tcpslice
will not work properly on pcap files spanning more than one year;
with files containing portions of packets whose original length was
more than 65,535 bytes; nor with files containing fewer than two packets.
Such files result in
the error message: `couldn't find final packet in file'. These problems
are due to the interpolation scheme used by
.I tcpslice
to greatly speed up its processing when dealing with large trace files.
Note that
.I tcpslice
can efficiently extract slices from the middle of trace files of any
size, and can also work with truncated trace files (i.e., the final packet
in the file is only partially present, typically due to \fItcpdump\fP
being ungracefully killed).
.LP
Adding
.B \-l
has broken some compatibility with older versions, since
.I tcpslice
now merges its input files, rather than (approximately) concatenating
them together as it did previously.
.LP
It would sometimes be convenient if you could specify a clock offset
to use with the
.B \-l
option.
.LP
It would be nice if
.I tcpslice
supported more general editing of trace files.