SANS APAC · Jun 20, 2018 · 11:20 PM UTC

SANS APAC

SANS APAC @SANSAPAC

20 Jun 2018

Forensicators, tune in for 'PCAP Command-Line Madness' with @Hal_pomeranz | #DFIR Webcast Series | Tuesday, June 26, 2018 - 6:00 pm #Singapore / 7:00 pm #Tokyo / 8:00 pm #Canberra | sans.org/u/ETa

Tun Naung · Jun 27, 2018 · 4:53 AM UTC

Tun Naung @tunnaunglin

27 Jun 2018

Thanks Hal @hal_pomeranz for the great session. Learned a lot of useful commands ⌨️. One quick question: some of these commands use a few pipes |, will it not impact the performance for processing large pcap files? What’s a good file size do you recommend to use CLI if any?

Hal Pomeranz · Jun 27, 2018 · 7:01 AM UTC

Hal Pomeranz · Jun 27, 2018 · 7:01 AM UTC

Hal Pomeranz @hal_pomeranz

27 Jun 2018

Replying to @tunnaunglin @SANSAPAC

The biggest problem is not the pipes, but the size of the PCAP. tshark starts to use too much memory when the PCAP is several GB in size. Use tcpdump to make a smaller PCAP.

Jun 27, 2018 · 7:01 AM UTC

Tun Naung · Jun 27, 2018 · 7:40 AM UTC

Tun Naung @tunnaunglin

27 Jun 2018

Replying to @hal_pomeranz @SANSAPAC

Yes, thank you.