Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var Slice = &charm.Spec{ Name: "slice", Usage: "slice [options] [ ip:port ip:port ]", Short: "extract a pcap using a time range and/or flow filter", Long: ` The slice command takes an (optional) index file, an (optional) time range (specified with -from and -to), and an (optional) flow filter as arguments and produces an extracted pcap file. The output pcap file is created by copying the relevant segments of the input pcap file (e.g., headers, interface blocks, packets etc) rather than generating a new file. This means that certains stats (like interface packet drops between adjacent capture packets) are not accurate in the resulting output. That said, all of the actual packet data is accurate and explorable by a tool like wireshark. If an index is provided with -x, then the packets that fall outside of the indexed time range are skipped without disk I/O, which dramatically speeds up the slicing when extracting a small range out of a large pcap. If the time range is specified, it is used by the index and only packets that fall within the time range are scanned. (If the time range is given but no index is provided, then the entire pcap is scanned but only packets that fall within the time range are matched.) If a flow filter is specified in the format "ip:port ip:port", along with a protocol ("tcp", "udp", or "icmp" specified with -p), then only packets from that flow are matched. The time format for -from and -to is currently float seconds since 1970-01-01. We will support more flexible time formats in the future. `, New: New, }
Functions ¶
Types ¶
Source Files
Click to show internal directories.
Click to hide internal directories.