tsharkとparallelを使って、大量のpcapファイルの中から目的のパケットを素早く探す方と検索時間の比較

1 環境

VMware Workstation 12 Player上のゲストマシンを使っています。

[root@admin ~]# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)

[root@admin ~]# uname -r
3.10.0-514.el7.x86_64

ゲストマシンの搭載CPU数は4個です。
[root@admin ~]# cat /proc/cpuinfo |grep processor
processor       : 0
processor       : 1
processor       : 2
processor       : 3

2 事前準備

2.1 ツールのインストール

tsharkコマンドをインストールする。
[root@admin ~]# yum -y install wireshark
[root@admin ~]# tshark -v
TShark 1.10.14 (Git Rev Unknown from unknown)

parallelコマンドをインストールする。
[root@admin ~]# yum -y install parallel
[root@admin ~]# parallel --version
GNU parallel 20160222

2.2 テスト用pcapファイルの作成

[root@admin ~]# mkdir tcpdump
[root@admin ~]# chown tcpdump:tcpdump tcpdump/
[root@admin ~]# ls -ld tcpdump/
drwxr-xr-x 2 tcpdump tcpdump 6  8月  4 19:55 tcpdump/
[root@admin ~]# cd tcpdump/

tcpdumpを実行する。1つのpcapファイルサイズは5Mを指定する。
[root@admin tcpdump]# tcpdump -i eth0 -C 5 -w tcpdump.cap

別ターミナルを開いて、下記コマンドを実行する。
HTTPパケットの(TCP80)やり取りをテスト用pcapに記録する。
[root@admin tcpdump]# wget http://ftp.riken.jp/Linux/centos/7/isos/x86_64/CentOS-7-x86_64-DVD-1611.iso

さらに別ターミナルをオープンする。
chronydを再起動する。NTPパケット(UDP123)のやり取りをテスト用pcapに記録する。
[root@admin tcpdump]# systemctl restart chronyd

ntpサーバのIPアドレスを求める。DNSパケット(UDP53)のやり取りをテスト用pcapに記録する。
[root@admin tcpdump]# dig ntp.nict.jp +short
133.243.238.244
133.243.238.243
133.243.238.164
133.243.238.163

デフォルトGWに対してping(ICMP echo request/replay)を実行する。
[root@admin tcpdump]# ping -c 1 192.168.0.1


適当なところで、wgetを終了する。
[root@admin tcpdump]# pkill wget
[root@admin tcpdump]#

tcpdumpもCtrl + C押下で終了する。
[root@admin tcpdump]# tcpdump -i eth0 -C 5 -w tcpdump.cap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C90991 packets captured
91247 packets received by filter
253 packets dropped by kernel


採取したpcapファイルを確認する。ファイルは全部で20個です。
[root@admin tcpdump]# ls -l
合計 179900
-rw-r--r-- 1 root    root    88253767  8月  4 20:30 CentOS-7-x86_64-DVD-1611.iso
-rw-r--r-- 1 tcpdump tcpdump  5000086  8月  4 20:27 tcpdump.cap
-rw-r--r-- 1 tcpdump tcpdump  5000484  8月  4 20:27 tcpdump.cap1
-rw-r--r-- 1 tcpdump tcpdump  5001324  8月  4 20:28 tcpdump.cap10
-rw-r--r-- 1 tcpdump tcpdump  5001474  8月  4 20:29 tcpdump.cap11
-rw-r--r-- 1 tcpdump tcpdump  5000851  8月  4 20:29 tcpdump.cap12
-rw-r--r-- 1 tcpdump tcpdump  5000872  8月  4 20:29 tcpdump.cap13
-rw-r--r-- 1 tcpdump tcpdump  5000558  8月  4 20:29 tcpdump.cap14
-rw-r--r-- 1 tcpdump tcpdump  5000654  8月  4 20:29 tcpdump.cap15
-rw-r--r-- 1 tcpdump tcpdump  5000892  8月  4 20:29 tcpdump.cap16
-rw-r--r-- 1 tcpdump tcpdump  5000690  8月  4 20:30 tcpdump.cap17
-rw-r--r-- 1 tcpdump tcpdump  5000620  8月  4 20:30 tcpdump.cap18
-rw-r--r-- 1 tcpdump tcpdump   925062  8月  4 20:30 tcpdump.cap19
-rw-r--r-- 1 tcpdump tcpdump  5000949  8月  4 20:27 tcpdump.cap2
-rw-r--r-- 1 tcpdump tcpdump  5002209  8月  4 20:27 tcpdump.cap3
-rw-r--r-- 1 tcpdump tcpdump  5000984  8月  4 20:27 tcpdump.cap4
-rw-r--r-- 1 tcpdump tcpdump  5001074  8月  4 20:28 tcpdump.cap5
-rw-r--r-- 1 tcpdump tcpdump  5001168  8月  4 20:28 tcpdump.cap6
-rw-r--r-- 1 tcpdump tcpdump  5000684  8月  4 20:28 tcpdump.cap7
-rw-r--r-- 1 tcpdump tcpdump  5000460  8月  4 20:28 tcpdump.cap8
-rw-r--r-- 1 tcpdump tcpdump  5000456  8月  4 20:28 tcpdump.cap9

3 parallelを使った場合のパケット検索にかかる時間

3.1 SYNパケットの検索時間

[root@admin tcpdump]# time ls tcpdump*|parallel --tagstring  "{}:" --line-buffer -j +0 tshark -r {} 'tcp.flags.syn==1' and 'tcp.flags.ack==0' -n
-略-
tcpdump.cap:     20          7 192.168.0.100 -> 134.160.38.1 TCP 74 41444 > 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=3738362 TSecr=0 WS=128
-略-

real    0m11.983s
user    0m36.809s
sys     0m7.251s

tsharkを実行しているCPUを確認する。4つのCPUで実行していることがわかる。
[root@admin tcpdump]# ps -C tshark -o comm,psr
COMMAND         PSR
tshark            1
tshark            2
tshark            0
tshark            3

3.2 NTPパケットの検索時間

[root@admin tcpdump]# time ls tcpdump*|parallel --tagstring  "{}:" --line-buffer -j +0 tshark -r {} 'udp.port==123' -n
-略-
tcpdump.cap1:   717          1 192.168.0.100 -> 118.155.250.71 NTP 90 NTP Version 4, client
tcpdump.cap1:   756          2 118.155.250.71 -> 192.168.0.100 NTP 90 NTP Version 4, server
tcpdump.cap1:   792          2 192.168.0.100 -> 59.106.180.168 NTP 90 NTP Version 4, client
tcpdump.cap1:   859          2 59.106.180.168 -> 192.168.0.100 NTP 90 NTP Version 4, server
tcpdump.cap1:   1507          4 192.168.0.100 -> 104.198.83.7 NTP 90 NTP Version 4, client
tcpdump.cap1:   1524          4 104.198.83.7 -> 192.168.0.100 NTP 90 NTP Version 4, server
tcpdump.cap1:   3283         10 192.168.0.100 -> 52.198.17.95 NTP 90 NTP Version 4, client
tcpdump.cap1:   3317         10 52.198.17.95 -> 192.168.0.100 NTP 90 NTP Version 4, server
tcpdump.cap1:   3318         10 192.168.0.100 -> 52.198.17.95 ICMP 118 Destination unreachable (Port unreachable)
-以下、略-

real    0m10.357s
user    0m31.443s
sys     0m5.870s

3.3 DNSパケットの検索時間

[root@admin tcpdump]# time ls tcpdump*|parallel --tagstring  "{}:" --line-buffer -j +0 tshark -r {} 'udp.port==53' -n
-略-
tcpdump.cap:     14          7 192.168.0.100 -> 192.168.3.1  DNS 72 Standard query 0xb756  A ftp.riken.jp
tcpdump.cap:     15          7 192.168.0.100 -> 192.168.3.1  DNS 72 Standard query 0x5427  AAAA ftp.riken.jp
tcpdump.cap:     18          7  192.168.3.1 -> 192.168.0.100 DNS 265 Standard query response 0xb756  CNAME riksun.riken.go.jp A 134.160.38.1
tcpdump.cap:     19          7  192.168.3.1 -> 192.168.0.100 DNS 148 Standard query response 0x5427  CNAME riksun.riken.go.jp
tcpdump.cap1:   3312         10 192.168.0.100 -> 192.168.3.1  DNS 81 Standard query 0x7791  A 0.centos.pool.ntp.org
tcpdump.cap1:   3313         10 192.168.0.100 -> 192.168.3.1  DNS 81 Standard query 0xfc75  AAAA 0.centos.pool.ntp.org
tcpdump.cap1:   3386         10  192.168.3.1 -> 192.168.0.100 DNS 136 Standard query response 0xfc75
tcpdump.cap12:  Running as user "root" and group "root". This could be dangerous.
tcpdump.cap13:  Running as user "root" and group "root". This could be dangerous.
tcpdump.cap12:  3008          7 192.168.0.100 -> 192.168.3.1  DNS 82 Standard query 0x18e5  A ntp.nict.jp
tcpdump.cap12:  3211          7  192.168.3.1 -> 192.168.0.100 DNS 249 Standard query response 0x18e5  ★A 133.243.238.163 A 133.243.238.164 A 133.243.238.243 A 133.243.238.244
-略-
tcpdump.cap3:    26          0  192.168.3.1 -> 192.168.0.100 DNS 136 Standard query response 0xc2ed
tcpdump.cap3:   1895          4 192.168.0.100 -> 192.168.3.1  DNS 81 Standard query 0xfbe7  A 3.centos.pool.ntp.org
tcpdump.cap3:   1984          4  192.168.3.1 -> 192.168.0.100 DNS 503 Standard query response 0xfbe7  A 203.112.31.229 A 45.76.221.157 A 133.242.147.113 A 157.7.153.56
tcpdump.cap3:   1985          4 192.168.0.100 -> 192.168.3.1  DNS 81 Standard query 0xc2ed  AAAA 3.centos.pool.ntp.org
tcpdump.cap3:   2040          5  192.168.3.1 -> 192.168.0.100 DNS 136 Standard query response 0xc2ed
tcpdump.cap4:   727          2 192.168.0.100 -> 192.168.3.1  DNS 82 Standard query 0xc4e2  A ntp.nict.jp
tcpdump.cap4:   747          2  192.168.3.1 -> 192.168.0.100 DNS 249 Standard query response 0xc4e2  ★A 133.243.238.163 A 133.243.238.164 A 133.243.238.243 A 133.243.238.244
tcpdump.cap4:   3994         10 192.168.0.100 -> 192.168.3.1  DNS 82 Standard query 0x0fb6  A ntp.nict.jp
tcpdump.cap4:   4031         10  192.168.3.1 -> 192.168.0.100 DNS 249 Standard query response 0x0fb6  ★A 133.243.238.163 A 133.243.238.164 A 133.243.238.243 A 133.243.238.244
-以下、略-

real    0m10.133s
user    0m31.004s
sys     0m6.497s

3.4 ICMPパケットの検索時間

[root@admin tcpdump]# time ls tcpdump*|parallel --tagstring  "{}:" --line-buffer -j +0 tshark -r {} 'icmp.type==8' or 'icmp.type==0' -n
-略-
tcpdump.cap14:  643          1 192.168.0.100 -> 192.168.0.1  ICMP 98 Echo (ping) request  id=0x04fc, seq=1/256, ttl=64
tcpdump.cap14:  821          1  192.168.0.1 -> 192.168.0.100 ICMP 98 Echo (ping) reply    id=0x04fc, seq=1/256, ttl=255 (request in 643)
-略-
tcpdump.cap5:   2167          5 192.168.0.100 -> 192.168.0.1  ICMP 98 Echo (ping) request  id=0x04f3, seq=1/256, ttl=64
tcpdump.cap5:   2236          5  192.168.0.1 -> 192.168.0.100 ICMP 98 Echo (ping) reply    id=0x04f3, seq=1/256, ttl=255 (request in 2167)
-略-

real    0m10.103s
user    0m31.098s
sys     0m5.644s
[root@admin tcpdump]#

4 parallelを使わない場合のパケット検索にかかる時間

4.1 SYNパケットの検索時間

[root@admin tcpdump]# time find . -name  'tcpdump*' -print -exec tshark -r {} 'tcp.flags.syn==1' and 'tcp.flags.ack==0' \;
./tcpdump.cap
Running as user "root" and group "root". This could be dangerous.
 20          7 192.168.0.100 -> 134.160.38.1 TCP 74 41444 > http [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=3738362 TSecr=0 WS=128
-以下、略-

real    0m20.776s
user    0m17.906s
sys     0m2.789s
[root@admin tcpdump]#

4.2 NTPパケットの検索時間

[root@admin tcpdump]# time find . -name  'tcpdump*' -print -exec tshark -r {} 'udp.port==123'  \;
./tcpdump.cap
Running as user "root" and group "root". This could be dangerous.
./tcpdump.cap1
Running as user "root" and group "root". This could be dangerous.
717          1 192.168.0.100 -> 118.155.250.71 NTP 90 NTP Version 4, client
756          2 118.155.250.71 -> 192.168.0.100 NTP 90 NTP Version 4, server
792          2 192.168.0.100 -> 59.106.180.168 NTP 90 NTP Version 4, client
859          2 59.106.180.168 -> 192.168.0.100 NTP 90 NTP Version 4, server
1507          4 192.168.0.100 -> 104.198.83.7 NTP 90 NTP Version 4, client
1524          4 104.198.83.7 -> 192.168.0.100 NTP 90 NTP Version 4, server
3283         10 192.168.0.100 -> 52.198.17.95 NTP 90 NTP Version 4, client
3317         10 52.198.17.95 -> 192.168.0.100 NTP 90 NTP Version 4, server
3318         10 192.168.0.100 -> 52.198.17.95 ICMP 118 Destination unreachable (Port unreachable)
./tcpdump.cap2
Running as user "root" and group "root". This could be dangerous.
./tcpdump.cap3
Running as user "root" and group "root". This could be dangerous.
2132          5 192.168.0.100 -> 203.112.31.229 NTP 90 NTP Version 4, client
2180          5 203.112.31.229 -> 192.168.0.100 NTP 90 NTP Version 4, server
2248          5 192.168.0.100 -> 117.102.176.202 NTP 90 NTP Version 4, client
2264          5 117.102.176.202 -> 192.168.0.100 NTP 90 NTP Version 4, server
2334          5 192.168.0.100 -> 150.95.148.140 NTP 90 NTP Version 4, client
2355          5 150.95.148.140 -> 192.168.0.100 NTP 90 NTP Version 4, server
2441          6 192.168.0.100 -> 153.128.30.125 NTP 90 NTP Version 4, client
2470          6 153.128.30.125 -> 192.168.0.100 NTP 90 NTP Version 4, server
3114          7 192.168.0.100 -> 203.112.31.229 NTP 90 NTP Version 4, client
3138          7 203.112.31.229 -> 192.168.0.100 NTP 90 NTP Version 4, server
3238          8 192.168.0.100 -> 117.102.176.202 NTP 90 NTP Version 4, client
3239          8 192.168.0.100 -> 150.95.148.140 NTP 90 NTP Version 4, client
3308          8 192.168.0.100 -> 153.128.30.125 NTP 90 NTP Version 4, client
3317          8 150.95.148.140 -> 192.168.0.100 NTP 90 NTP Version 4, server
3321          8 117.102.176.202 -> 192.168.0.100 NTP 90 NTP Version 4, server
3375          8 153.128.30.125 -> 192.168.0.100 NTP 90 NTP Version 4, server
3884          9 192.168.0.100 -> 203.112.31.229 NTP 90 NTP Version 4, client
3915          9 203.112.31.229 -> 192.168.0.100 NTP 90 NTP Version 4, server
4066         10 192.168.0.100 -> 150.95.148.140 NTP 90 NTP Version 4, client
4072         10 150.95.148.140 -> 192.168.0.100 NTP 90 NTP Version 4, server
4166         10 192.168.0.100 -> 153.128.30.125 NTP 90 NTP Version 4, client
4167         10 192.168.0.100 -> 117.102.176.202 NTP 90 NTP Version 4, client
4190         10 117.102.176.202 -> 192.168.0.100 NTP 90 NTP Version 4, server
4193         10 153.128.30.125 -> 192.168.0.100 NTP 90 NTP Version 4, server
4509         11 192.168.0.100 -> 203.112.31.229 NTP 90 NTP Version 4, client
4543         12 203.112.31.229 -> 192.168.0.100 NTP 90 NTP Version 4, server
-略-

real    0m21.999s
user    0m18.899s
sys     0m3.071s

4.3 DNSパケットの検索時間

[root@admin tcpdump]# time find . -name  'tcpdump*' -print -exec tshark -r {} 'udp.port==53'  \;
./tcpdump.cap
Running as user "root" and group "root". This could be dangerous.
 14          7 192.168.0.100 -> 192.168.3.1  DNS 72 Standard query 0xb756  A ftp.riken.jp
 15          7 192.168.0.100 -> 192.168.3.1  DNS 72 Standard query 0x5427  AAAA ftp.riken.jp
 18          7  192.168.3.1 -> 192.168.0.100 DNS 265 Standard query response 0xb756  CNAME riksun.riken.go.jp A 134.160.38.1
 19          7  192.168.3.1 -> 192.168.0.100 DNS 148 Standard query response 0x5427  CNAME riksun.riken.go.jp
./tcpdump.cap1
Running as user "root" and group "root". This could be dangerous.
3312         10 192.168.0.100 -> 192.168.3.1  DNS 81 Standard query 0x7791  A 0.centos.pool.ntp.org
3313         10 192.168.0.100 -> 192.168.3.1  DNS 81 Standard query 0xfc75  AAAA 0.centos.pool.ntp.org
3386         10  192.168.3.1 -> 192.168.0.100 DNS 136 Standard query response 0xfc75
./tcpdump.cap2
Running as user "root" and group "root". This could be dangerous.
529          1 192.168.0.100 -> 192.168.3.1  DNS 81 Standard query 0x7791  A 0.centos.pool.ntp.org
644          1  192.168.3.1 -> 192.168.0.100 DNS 503 Standard query response 0x7791  A 117.102.176.202 A 59.106.180.168 A 157.7.235.92 A 129.250.35.251
645          1 192.168.0.100 -> 192.168.3.1  DNS 81 Standard query 0xfc75  AAAA 0.centos.pool.ntp.org
722          1  192.168.3.1 -> 192.168.0.100 DNS 136 Standard query response 0xfc75
727          1 192.168.0.100 -> 192.168.3.1  DNS 81 Standard query 0x2211  A 1.centos.pool.ntp.org
728          1 192.168.0.100 -> 192.168.3.1  DNS 81 Standard query 0xf04a  AAAA 1.centos.pool.ntp.org
799          2  192.168.3.1 -> 192.168.0.100 DNS 136 Standard query response 0xf04a
2578          6 192.168.0.100 -> 192.168.3.1  DNS 81 Standard query 0x2211  A 1.centos.pool.ntp.org
2646          7  192.168.3.1 -> 192.168.0.100 DNS 503 Standard query response 0x2211  A 150.95.148.140 A 157.7.154.29 A 106.185.31.36 A 172.104.105.31
2647          7 192.168.0.100 -> 192.168.3.1  DNS 81 Standard query 0xf04a  AAAA 1.centos.pool.ntp.org
2717          7  192.168.3.1 -> 192.168.0.100 DNS 136 Standard query response 0xf04a
2721          7 192.168.0.100 -> 192.168.3.1  DNS 81 Standard query 0x19eb  A 2.centos.pool.ntp.org
2722          7 192.168.0.100 -> 192.168.3.1  DNS 81 Standard query 0x96fe  AAAA 2.centos.pool.ntp.org
2833          7  192.168.3.1 -> 192.168.0.100 DNS 503 Standard query response 0x19eb  A 178.32.222.29 A 46.19.96.19 A 91.206.16.3 A 199.182.221.110
4410         12 192.168.0.100 -> 192.168.3.1  DNS 81 Standard query 0x19eb  A 2.centos.pool.ntp.org
4507         12  192.168.3.1 -> 192.168.0.100 DNS 503 Standard query response 0x19eb  A 153.128.30.125 A 116.58.172.182 A 45.76.218.213 A 45.76.98.188
4509         12 192.168.0.100 -> 192.168.3.1  DNS 81 Standard query 0x96fe  AAAA 2.centos.pool.ntp.org
4613         12  192.168.3.1 -> 192.168.0.100 DNS 441 Standard query response 0x96fe
4614         12 192.168.0.100 -> 192.168.3.1  DNS 81 Standard query 0xfbe7  A 3.centos.pool.ntp.org
4615         12 192.168.0.100 -> 192.168.3.1  DNS 81 Standard query 0xc2ed  AAAA 3.centos.pool.ntp.org
./tcpdump.cap3
Running as user "root" and group "root". This could be dangerous.
 26          0  192.168.3.1 -> 192.168.0.100 DNS 136 Standard query response 0xc2ed
1895          4 192.168.0.100 -> 192.168.3.1  DNS 81 Standard query 0xfbe7  A 3.centos.pool.ntp.org
1984          4  192.168.3.1 -> 192.168.0.100 DNS 503 Standard query response 0xfbe7  A 203.112.31.229 A 45.76.221.157 A 133.242.147.113 A 157.7.153.56
1985          4 192.168.0.100 -> 192.168.3.1  DNS 81 Standard query 0xc2ed  AAAA 3.centos.pool.ntp.org
2040          5  192.168.3.1 -> 192.168.0.100 DNS 136 Standard query response 0xc2ed
./tcpdump.cap4
Running as user "root" and group "root". This could be dangerous.
727          2 192.168.0.100 -> 192.168.3.1  DNS 82 Standard query 0xc4e2  A ntp.nict.jp
747          2  192.168.3.1 -> 192.168.0.100 DNS 249 Standard query response 0xc4e2  A 133.243.238.163 A 133.243.238.164 A 133.243.238.243 A 133.243.238.244
3994         10 192.168.0.100 -> 192.168.3.1  DNS 82 Standard query 0x0fb6  A ntp.nict.jp
4031         10  192.168.3.1 -> 192.168.0.100 DNS 249 Standard query response 0x0fb6  A 133.243.238.163 A 133.243.238.164 A 133.243.238.243 A 133.243.238.244
./tcpdump.cap5
Running as user "root" and group "root". This could be dangerous.
./tcpdump.cap6
Running as user "root" and group "root". This could be dangerous.
./tcpdump.cap7
Running as user "root" and group "root". This could be dangerous.
./tcpdump.cap8
Running as user "root" and group "root". This could be dangerous.
./tcpdump.cap9
Running as user "root" and group "root". This could be dangerous.
./tcpdump.cap10
Running as user "root" and group "root". This could be dangerous.
./tcpdump.cap11
Running as user "root" and group "root". This could be dangerous.
./tcpdump.cap12
Running as user "root" and group "root". This could be dangerous.
3008          7 192.168.0.100 -> 192.168.3.1  DNS 82 Standard query 0x18e5  A ntp.nict.jp
3211          7  192.168.3.1 -> 192.168.0.100 DNS 249 Standard query response 0x18e5  A 133.243.238.163 A 133.243.238.164 A 133.243.238.243 A 133.243.238.244
./tcpdump.cap13
Running as user "root" and group "root". This could be dangerous.
./tcpdump.cap14
Running as user "root" and group "root". This could be dangerous.
./tcpdump.cap15
Running as user "root" and group "root". This could be dangerous.
./tcpdump.cap16
Running as user "root" and group "root". This could be dangerous.
./tcpdump.cap17
Running as user "root" and group "root". This could be dangerous.
./tcpdump.cap18
Running as user "root" and group "root". This could be dangerous.
./tcpdump.cap19
Running as user "root" and group "root". This could be dangerous.

real    0m21.148s
user    0m18.002s
sys     0m3.125s

4.4 ICMPパケットの検索時間

[root@admin tcpdump]# time find . -name  'tcpdump*' -print -exec tshark -r {} 'icmp.type==8' or 'icmp.type==0' \;
./tcpdump.cap
Running as user "root" and group "root". This could be dangerous.
./tcpdump.cap1
Running as user "root" and group "root". This could be dangerous.
./tcpdump.cap2
Running as user "root" and group "root". This could be dangerous.
./tcpdump.cap3
Running as user "root" and group "root". This could be dangerous.
./tcpdump.cap4
Running as user "root" and group "root". This could be dangerous.
./tcpdump.cap5
Running as user "root" and group "root". This could be dangerous.
2167          5 192.168.0.100 -> 192.168.0.1  ICMP 98 Echo (ping) request  id=0x04f3, seq=1/256, ttl=64
2236          5  192.168.0.1 -> 192.168.0.100 ICMP 98 Echo (ping) reply    id=0x04f3, seq=1/256, ttl=255 (request in 2167)
./tcpdump.cap6
Running as user "root" and group "root". This could be dangerous.
./tcpdump.cap7
Running as user "root" and group "root". This could be dangerous.
./tcpdump.cap8
Running as user "root" and group "root". This could be dangerous.
./tcpdump.cap9
Running as user "root" and group "root". This could be dangerous.
./tcpdump.cap10
Running as user "root" and group "root". This could be dangerous.
./tcpdump.cap11
Running as user "root" and group "root". This could be dangerous.
./tcpdump.cap12
Running as user "root" and group "root". This could be dangerous.
./tcpdump.cap13
Running as user "root" and group "root". This could be dangerous.
./tcpdump.cap14
Running as user "root" and group "root". This could be dangerous.
643          1 192.168.0.100 -> 192.168.0.1  ICMP 98 Echo (ping) request  id=0x04fc, seq=1/256, ttl=64
821          1  192.168.0.1 -> 192.168.0.100 ICMP 98 Echo (ping) reply    id=0x04fc, seq=1/256, ttl=255 (request in 643)
./tcpdump.cap15
Running as user "root" and group "root". This could be dangerous.
./tcpdump.cap16
Running as user "root" and group "root". This could be dangerous.
./tcpdump.cap17
Running as user "root" and group "root". This could be dangerous.
./tcpdump.cap18
Running as user "root" and group "root". This could be dangerous.
./tcpdump.cap19
Running as user "root" and group "root". This could be dangerous.

real    0m20.091s
user    0m16.811s
sys     0m3.267s

5 検索時間の比較

parallelを使った場合と使わない場合の検索時間を比較しました。単位は秒です。
parallelを使った方が、検索時間が短いことがわかります。(毎回キャッシュのクリアをしなかったけど、大丈夫か???)
ファイルの数が多く、1つのファイルサイズが大きい場合は、さらに検索時間に差がでると思います。

	SYN	NTP	DNS	ping
parallelを使った場合	12	10	10	10
parallelを使わなかった場合	21	22	21	20

6 参考情報

tcpdumpの使い方
tsharkコマンドの使い方
GNU parallel 使用例