tool for splitting pcap files by TCP connection?

linux command-line-interface tcp pcap

20,751

Solution 1

You can also use PcapSplitter which is part of the PcapPlusPlus package. It does exactly what you need (which is splitting pcap files by TCP or UDP connection), it's multi-platform and it doesn't have a limit on the number of connections in the original file (so you can use it to split a large pcap file containing thousands of connections or even more). The link above is for the source code, but if you want a compiled binary - here is a link for binaries I made for several platforms

EDIT: apparently a new version of PcapPlusPlus was released and it contains PcapSplitter binaries for quite a lot of platforms (Windows, Ubuntu 12.04/14.04, Mac OSX Mavericks/Yosemite/El Captian). I think it's better to use these binaries than the link I previously provided. You can find it here

Solution 2

You can use tcpdump to extract the portions of the pcap that you want... suppose you're looking for packets in a socket connection between TCP/55777 on one host and TCP/80 on another. Your source file is bigfile.pcap, which is a sniffer dump of many HTTP sessions to the web host in question...

tcpdump -r bigfile.pcap -w session.pcap -s0 tcp and port 55777

That will pull all the packets going to and from TCP/55777 in bigfile.pcap and copy them into session.pcap.

Solution 3

tcpflow is what you want - splits pcaps into one file per TCP session

http://www.circlemud.org/jelson/software/tcpflow/

Solution 4

A bit overkill, but using tshark (shipped with wireshark), you could do with zsh:

file=file.pcap
tshark -Tfields -e tcp.stream \
                -e frame.time_epoch \
                -e ip.src \
                -e tcp.srcport \
                -e ip.dst \
                -e tcp.dstport -r $file |
  sort -snu |
  while read -A f; do 
    tshark -r $file -2R "tcp.stream == $f[1]" -w ${(j:-:)f[2,-1]}.pcap
  done

Which generates files named like 1509466312.202450000-10.0.0.1-58892-10.0.0.2-80.pcap (based on the first packet seen for each connection).

Solution 5

There seems to be this tool which might work (I haven't used it personally)

http://www.netresec.com/?page=SplitCap (windows based)

SplitCap is a free (as in beer) open source pcap file splitter. SplitCap splits one big pcap file into multiple files based on TCP and UDP sessions, one pcap file per session. SplitCap can also be used to split a pcap file into one pcap file per host-pair instead of session.

View more solutions

20,751

Andre Holzner

Updated on September 18, 2022

Comments

Andre Holzner over 1 year

Is there tool to split a packet capture file (in pcap format) into separate files for each TCP connection ? (other than a home grown shell script which probably needs to run twice over the capture...). Something like wireshark's 'follow TCP stream' but for the command line (I'm afraid wireshark will consume a large amount of memory when displaying a 700 MB packet capture)

I looked at tcpflow but it seems to produce files much larger than the original pcap files and they seem not to be in pcap format.
- chris over 9 years
  
  The files that result from tcpflow are not pcaps, they are the actual tcp payloads of the tcp streams.
Andre Holzner over 12 years

as mentioned in the question, I tried it and did not understand why the resulting output files were much larger than the input (pcap) files...
kasperd almost 8 years

Does -s0 have any effect when used together with -r?
takumar over 5 years

also tcpflow does not seem to be able to output pcap files.