pcap2convxml — Create an IPv4 Address conversation list from a pcap file in XML format with Geolocation information.
pcap2convxml [
-m
ENTRY
| --mode ENTRY
] [
-p
FILENAME
| --pcap-file FILENAME
] [ --cap-type TEXT
] [ --cap-int TEXT
] [ --display-filter TEXT
] [ --pref-opts TEXT
] [ --annotation TEXT
] [ --fqdn [true]|false
] [ --cap-host HOSTNAME|IPv4ADDR
] [ --cap-dumpcap-ver TEXT
] [
-d
[true]|false
| --debug [true]|false
] [
-h
[true]|false
| --help [true]|false
] [
-H
[true]|false
| --help-long [true]|false
] [
-v
[true]|false
| --verbose [true]|false
] [ --version [true]|false
]
The pcap2convxml script will produce an IPv4 Address conversation list from a 'pcap' file using Wireshark's tshark text-based network protocol analyzer with Geolocation information provided for each conversation host. The generated output will be sent to standard output (display) in XML format.
The following command line options are available:
-m ENTRY] | [--mode ENTRY]
This option controls what the
pcap2convxml script will do. The following
modes are available: ("xml" and "bash"). If you
specify "xml" (the default), this script
will generate
XML
(Extensible Markup Language) formatted
text to standard output (display) from the results of creating
an IPv4 Address conversation list for the
given "--pcap-file FILENAME"
using Wireshark's tshark
text-based network protocol analyzer with Geolocation
information provided for each conversation host. Specify
"bash" to display internal
'Bash' variables specific
to pcap2convxml for
'Bash' scripting integration.
-p FILENAME] | [--pcap-file FILENAME]
Use this option to specify the source network
packet capture file from which the IPv4
Address conversation list will be generated. The file format
can be in Wireshark's native capture file
format: "libpcap"
('pcap' for short) or any other
supported Wireshark formats (See the
manual page for Wireshark for all
currently supported network packet capture file formats).
--cap-type TEXT]
This option is used to identify
the NST network packet capture type
associated with the 'pcap-file'. If the
capture was produced using the NST Single-Tap
Network Packet Capture implementation, then use type: "STYPE"
which is the default value. If the capture was produced using
the NST Multi-Tap Network Packet Capture
implementation, then use type: "MTYPE". This option is also used
for the creation of a 'Hyperlink' back to the
appropriate NST WUI
network packet capture page when rendered by "Google
Earth".
--cap-int TEXT]
Use this option to describe the name of each
network interface used on the host system that actually
performed the network packet capture. If more than one interface
is specified, use a comma (,) delimiter character between each
interface described. For example, one can enter a single network
interface name: "eth1" for a Single-Tap
Network Packet Capture. The following is an example for a
Multi-Tap Network Packet Capture: "Tap0: eth1, Tap1:
eth3, Tap3: eth6". Typically, this option is filled in
by the NST WUI when used
by either the "Single-Tap" or
"Multi-Tap" Network Packet Capture page.
This option is also used to provide linkage back to the
appropriate NST WUI
network packet capture page when rendered by "Google
Earth".
--display-filter TEXT]
Apply a valid Wireshark display filter when generating the IPv4 Address conversation list. Only those packets that match the display filter will be used in the calculation. There is no default display filter, thus all packets will be used to generate the conversation list.
--pref-opts TEXT]
Apply one or more valid
Wireshark "Preference"
options when generating the IPv4 Address
conversation list. The preference option choices can be found in
the global preference file:
"/usr/share/wireshark/preferences". The
applied option(s) will override the value(s) set in any
preference file that is read in. Example 1 - Enable the lookup
of IPv4 Addresses in each "GeoIP
Database" that has been loaded:
--pref-opts
"'ip.use_geoip:TRUE'". Example 2 - Set the
"Name Resolution Concurrency" and the default
"SSL" port: --pref-opts
"'name_resolve_concurrency:500'
'http.ssl.port:443'". ***Note:
Enclose the entire option(s) parameter in double quotes with
each preference option enclosed in a single quote.
--annotation TEXT]
Use this option to add an
"Annotation" to the IPv4
Address conversation XML output. This is used
to document the results for historical review and
analysis. Enclose the annotation with single or double quotes.
--fqdn [true]|false]
Use this option to try to resolve each IPv4 Address Conversation Host to its Fully Qualified Domain Name (FQDN).
--cap-host HOSTNAME|IPv4ADDR]
Use this option to set the name of the host system that actually performed the network packet capture. Enter either a Fully Qualified Domain Name (FQDN) or an IP Address for the host system.
--cap-dumpcap-ver TEXT]
Use this option to add the "dumpcap
version" that was used to performed the network packet
capture.
-d [true]|false] | [--debug [true]|false]
Use this option to enable debug output. This option is mainly used by developers.
-h [true]|false] | [--help [true]|false]
When this option is specified, pcap2convxml will display a short one line description of pcap2convxml, followed by a short description of each of the supported command line options. After displaying this information pcap2convxml will terminate.
-H [true]|false] | [--help-long [true]|false]
This option will attempt to pull up additional
pcap2convxml documentation within a text based
web browser. You can force which browser we use setting the
environment variable TEXTBROWSER, otherwise,
we will search for some common ones.
-v [true]|false] | [--verbose [true]|false]
When you set this option to true, pcap2convxml will produce additional output. This is typically used for diagnostic purposes to help track down when things go wrong.
--version [true]|false]
If this option is specified, the version number of the script is displayed.