
Распарсить дампы tcpdump



Есть гигабайтный файл созданый tcpdump со шнурка тегированного 802.1q

Чем можно распарсить это в per-IP топ-репорт?


Можно взять tshark (консольная версия WireShark), там есть

       -T  pdml|psml|ps|text|fields
           Set the format of the output when viewing decoded packet data.  The options are one of:

pdml Packet Details Markup Language, an XML-based format for the details of a decoded packet.  This information is equivalent to the packet details printed with the -V flag.

psml Packet Summary Markup Language, an XML-based format for the summary information of a decoded packet. This information is equivalent to the information shown in the one-line summary printed by default.

ps PostScript for a human-readable one-line summary of each of the packets, or a multi-line view of the details of each of the packets, depending on whether the -V flag was specified.

text Text of a human-readable one-line summary of each of the packets, or a multi-line view of the details of each of the packets, depending on whether the -V flag was specified.  This is the default.

fields The values of fields specified with the -e option, in a form specified by the -E option.

frozen_twilight ★★
