I'd like to share a little .bat script that is helpful when dealing with the output of the nfdump command on the AMD HS. As you are aware, with the AMD HS the default capture command is not tcpdump anymore but nfdump (rcon AMD commands console) . The difference between tcpdump and nfdump is the following:
"The result of nfdump traffc capture is a number of pcap files, one per each CPU worker thread involved in the capture. The
pcap filename contains a unique filter id assigned to each capture."
So, to start your diagnostics, you should merge your capture files into one convenient file. To do so,you need to merge the output files located in /var/spool/adlex/spc/. They have a unique filter id and they should look like this:
spc.pcap.id.0000000004.th-01 spc.pcap.id.0000000004.th-02 ...
So, to merge such files you have different options but the most popular one is without any doubt using a Wireshark application part called "mergecap.exe".
If you're running Wireshark on Linux it's not a big deal, move to /var/spool/adlex/spc/ and type one the following commands (including the right set of capture files with the wildcard):
mergecap -v spc.pcap.*.pcap -w merged_output_file.pcap
mergecap -v *.pcap -w merged_output_file.pcap
But if you're running Wireshark on Windows (i.e. because you didn't install it or you couldn't install it on the linux AMD) things can get too long...That's why I've created a little script to help you merging the output capture files instantly.
The body of the script is the following (copy and paste it, rename it as merge_capture.bat and put it in the folder where you copied your capture files):
setlocal enabledelayedexpansion set capturefiles= for %%f in (*.pcap) do set capturefiles=!capturefiles! %%f Cmd /V:on /c "C:\Program Files\Wireshark\mergecap.exe" -w merged_capture.pcap %capturefiles%
once you have the merge_capture.bat copy and paste it in your dumps directory and just execute it from the command line:
The result will be a "merged_capture.pcap" file containing the merged capture files ready to be opened in Wireshark to be analyzed.
The v2 of this script, as suggested by @ulf t., is the one where you can specify the filename you would like to give to the merged file as the first argument when executing merge_capture.bat:
setlocal enabledelayedexpansion set capturefiles= for %%f in (*.pcap) do set capturefiles=!capturefiles! %%f Cmd /V:on /c "C:\Program Files\Wireshark\mergecap.exe" -w %1.pcap %capturefiles%
So, instead, you need to execute the following command from the cmd line:
Hope that helps.
Please let me know if you have any questions or comments.
20 People are following this .