pcaps:ixmgtool
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
pcaps:ixmgtool [2019/04/13 18:50] – created veera | pcaps:ixmgtool [2019/04/15 16:50] (current) – [Conclusion] veera | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Merge multiple thin PCAP files into a single | + | ====== Merge multiple thin PCAP files into a single |
When you install Trisul Network Analytics , you get a free command line tool called '' | When you install Trisul Network Analytics , you get a free command line tool called '' | ||
- | This tool has a unique capability to **squish** PCAP files that is very handy to create fat pcap files useful for testing. | + | This tool has a unique capability to **squish** PCAP files that is very handy to create fat pcap files useful for testing. This article explains how this free tool works. |
===== What is a FAT pcap file ===== | ===== What is a FAT pcap file ===== | ||
- | A FAT pcap file contains more unique flows and endpoints than a THIN pcap file. | + | < |
+ | </ | ||
While testing NSM((Network Security Monitoring)) | While testing NSM((Network Security Monitoring)) | ||
Line 17: | Line 18: | ||
===== How is it different from mergecap | ===== How is it different from mergecap | ||
- | Mergecap | + | Mergecap |
- | trisul_ixmgtool when run with the squish option , aligns the timestamps | + | trisul_ixmgtool when run with the squish option , aligns the timestamps |
{{: | {{: | ||
+ | You can think of ixmgtool as combining the following three operations | ||
+ | - Find the lowest timestamp from all the pcap files, and compute the deltas for each file | ||
+ | - Run '' | ||
+ | - Run '' | ||
- | ====== trisul_ixmgtool ====== | + | ====== |
To get the free ixmgtool [[https:// | To get the free ixmgtool [[https:// | ||
+ | **Usage** | ||
+ | < | ||
+ | unpl@unpl: | ||
+ | Usage : ixmgtool [-squish|-squish10] | ||
+ | </ | ||
+ | **Options** | ||
+ | |||
+ | * '' | ||
+ | * '' | ||
+ | |||
+ | If you run without the squish options, ixmgtool is the same as mergecap. | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ===== Example run ===== | ||
+ | |||
+ | Say you have put 10 files in a directory | ||
+ | |||
+ | < | ||
+ | unpl@unpl: | ||
+ | total 2.5G | ||
+ | -rw-rw-r-- 1 unpl unpl 119M Mar 15 20:14 wrccdc.regionals.2019-03-01.111129006380000.pcap | ||
+ | -rw-rw-r-- 1 unpl unpl 112M Mar 15 20:14 wrccdc.regionals.2019-03-01.111133006390000.pcap | ||
+ | -rw-rw-r-- 1 unpl unpl 124M Mar 15 20:14 wrccdc.regionals.2019-03-01.111138006400000.pcap | ||
+ | -rw-rw-r-- 1 unpl unpl 125M Mar 15 20:14 wrccdc.regionals.2019-03-01.111143006410000.pcap | ||
+ | -rw-rw-r-- 1 unpl unpl 106M Mar 15 20:14 wrccdc.regionals.2019-03-01.111147006420000.pcap | ||
+ | -rw-rw-r-- 1 unpl unpl 110M Mar 15 20:14 wrccdc.regionals.2019-03-01.111151006430000.pcap | ||
+ | -rw-rw-r-- 1 unpl unpl 107M Mar 15 20:14 wrccdc.regionals.2019-03-01.111155006440000.pcap | ||
+ | -rw-rw-r-- 1 unpl unpl 105M Mar 15 20:14 wrccdc.regionals.2019-03-01.111159006450000.pcap | ||
+ | -rw-rw-r-- 1 unpl unpl 112M Mar 15 20:14 wrccdc.regionals.2019-03-01.111203006460000.pcap | ||
+ | -rw-rw-r-- 1 unpl unpl 119M Mar 15 20:14 wrccdc.regionals.2019-03-01.111206006470000.pcap | ||
+ | -rw-rw-r-- 1 unpl unpl 113M Mar 15 20:14 wrccdc.regionals.2019-03-01.111210006480000.pcap | ||
+ | -rw-rw-r-- 1 unpl unpl 118M Mar 15 20:14 wrccdc.regionals.2019-03-01.111215006490000.pcap | ||
+ | |||
+ | </ | ||
+ | |||
+ | Running the following command | ||
+ | |||
+ | < | ||
+ | |||
+ | unpl@unpl: | ||
+ | |||
+ | |||
+ | EOF on wrccdc.regionals.2019-03-01.111203006460000.pcap, | ||
+ | EOF on wrccdc.regionals.2019-03-01.111159006450000.pcap, | ||
+ | EOF on wrccdc.regionals.2019-03-01.111147006420000.pcap, | ||
+ | EOF on wrccdc.regionals.2019-03-01.111143006410000.pcap, | ||
+ | EOF on wrccdc.regionals.2019-03-01.111210006480000.pcap, | ||
+ | EOF on wrccdc.regionals.2019-03-01.111206006470000.pcap, | ||
+ | EOF on wrccdc.regionals.2019-03-01.111151006430000.pcap, | ||
+ | EOF on wrccdc.regionals.2019-03-01.111155006440000.pcap, | ||
+ | EOF on wrccdc.regionals.2019-03-01.111129006380000.pcap, | ||
+ | EOF on wrccdc.regionals.2019-03-01.111138006400000.pcap, | ||
+ | Done. | ||
+ | |||
+ | </ | ||
+ | |||
+ | results in a fat pcap | ||
+ | |||
+ | < | ||
+ | unpl@unpl: | ||
+ | -rw------- 1 unpl unpl 1.2G Apr 13 13:29 fatone.pcap | ||
+ | </ | ||
+ | |||
+ | |||
+ | To get a **really FAT pcap** you can use the '' | ||
+ | |||
+ | |||
+ | |||
+ | < | ||
+ | unpl@unpl: | ||
+ | |||
+ | 5000000 Packets | ||
+ | EOF on wrccdc.regionals.2019-03-01.111203006460000.pcap, | ||
+ | EOF on wrccdc.regionals.2019-03-01.111159006450000.pcap, | ||
+ | EOF on wrccdc.regionals.2019-03-01.111147006420000.pcap, | ||
+ | 8000000 Packets | ||
+ | EOF on wrccdc.regionals.2019-03-01.111143006410000.pcap, | ||
+ | EOF on wrccdc.regionals.2019-03-01.111210006480000.pcap, | ||
+ | EOF on wrccdc.regionals.2019-03-01.111206006470000.pcap, | ||
+ | EOF on wrccdc.regionals.2019-03-01.111151006430000.pcap, | ||
+ | EOF on wrccdc.regionals.2019-03-01.111155006440000.pcap, | ||
+ | EOF on wrccdc.regionals.2019-03-01.111129006380000.pcap, | ||
+ | EOF on wrccdc.regionals.2019-03-01.111138006400000.pcap, | ||
+ | |||
+ | unpl@unpl: | ||
+ | -rw------- 1 unpl unpl 13G Apr 13 13:35 really_fatone.pcap | ||
+ | |||
+ | </ | ||
+ | |||
+ | |||
+ | ====== Conclusion ====== | ||
+ | |||
+ | trisul_ixmgtool | ||
+ | |||
+ | Hope this is useful to the NSM community. | ||
+ | |||
+ | |||
+ | To get the tool (it is free). | ||
pcaps/ixmgtool.txt · Last modified: 2019/04/15 16:50 by veera