Here is a common scenario: A client has a random or intermittent issue with an application. One option is to set up a ring buffer so you can capture packets for an extended period of time. Unfortunately, one of the challenges to deal with is which files have the problem.
One approach is to ask the client to record the time and pick the file that was saved after that time. Unfortunately, you are hoping that the client records the time during the issue and not a later time and that the capture tool and clock are synchronized to the same time server.
The other approach that I like use involves using a ‘bookmark.’ A bookmark is simply creating some specific traffic during or after the pattern, so you have a reference point when the issue occurred. One of the more popular bookmarks that I use is a simple ping to a unique IP address like 5.4.3.2 (it doesn’t exist, so applications should not be using it).
The challenge is how do you find the packets when you have 20, 200, or 2000 files?
In this video, I show you how to do this using one line from the windows command prompt without installing additional software, just using the built in Microsoft commands.
for %a in (*.pcapng) do tshark -r %a -Y ip.addr==5.4.3.2
Where:
%a represents the files in that folder
*.pcapng defines the patter of the existing trace files
do executes an external program
tshark –r %a reads the current file in the folder
-Y ip.addr==5.4.3.2 uses the Wireshark display filter syntax for a specific IP address