how to split a pcap file into a set of smaller ones

Question

I have a huge pcap file (generated by tcpdump). When I try to open it in wireshark, the program just gets unresponsive. Is there a way to split a file in set of smaller ones to open them one by one? The traffic captured in a file is generated by two programs on two servers, so I can't split the file using tcpdump 'host' or 'port' filters. I've also tried linux 'split' command :-) but with no luck. Wireshark wouldn't recognize the format.

A little late, but the reason Wireshark won't read files which are the output of `split` is because split will divide on exact byte boundaries. This is highly likely to split a packet which invalidates some of the file content. — Burhan Ali, Nov 14 '12 at 17:01

score 82 · Accepted Answer · edited Jul 05 '12 at 08:47

82

You can use tcpdump itself with the -C, -r and -w options

tcpdump -r old_file -w new_files -C 10

The "-C" option specifies the size of the file to split into. Eg: In the above case new files size will be 10 million bytes each.

edited Jul 05 '12 at 08:47

pauska

19,532
4
55
75

answered Apr 13 '10 at 09:33

Dan Andreatta

5,384
2
23
14

1

You are an amazing human, Dan. – lobi Aug 29 '16 at 21:45
Is there a way to do this without breaking apart a session? (Assuming a single session is smaller than the size limit argument). – spanishgum Jan 05 '18 at 15:57
Quick: `tcpdump -r old_file -w new_files -C 1000` **splits on every 955MB of recorded traffic** – gies0r Jul 25 '19 at 10:06
I have a pcap file of 2GB, for me it creates only one split of 200MB and then it starts throwing error. invalid packet capture length 2704320705, bigger than snaplen of 262144 – Daemon Jul 27 '22 at 16:47

score 23 · Answer 2 · answered Apr 13 '10 at 08:23

23

Use the editcap utility which is distributed with Wireshark.

answered Apr 13 '10 at 08:23

Dan Carley

25,189
5
52
70

7

`editpcap -c 1000 input.pcap output.pcap` will split `input.pcap` up into captures with a maximum of 1000 packets per capture. The output will be multiple capture files formatted like `output_{index}_{timestamp}.pcap` – blachniet Feb 28 '14 at 18:56
1

Thank you blachniet for the example! But it's just `editcap`, not `editpcap`, right? – lindhe Oct 14 '17 at 08:43
One more example for getting records within the specified A-B time interval: editcap -A "2021-08-07 16:00:00.901917" -B "2021-08-07 16:30:00.901917" input.pcap output.pcap – victorm1710 Aug 09 '21 at 10:42
The path for the MacOS install is `/Applications/Wireshark.app/Contents/MacOS/editcap` – schieferstapel Nov 08 '21 at 07:58

seladb · Answer 3 · 2016-09-13T08:04:51.060

I know this answer is a little late, but it may serve other people as well. I found a great tool for splitting pcap files: PcapSplitter. It's part of the PcapPlusPlus library which means it's cross-platform (Win32, Linux and Mac OS), and it can split pcap files based on different criteria such as file size (what you seem to need) but also by connection, client/server IP, server port (similar to protocol), packet count, etc. I found it very useful. The link above is for the source code, but if you don't want/know how to compile, I created compiled binaries for several platforms I've been using this tool with. I recommend this tool very much

EDIT: apparently a new version of PcapPlusPlus was released and it contains PcapSplitter binaries for quite a lot of platforms (Windows, Ubuntu 12.04/14.04, Mac OSX Mavericks/Yosemite/El Captian). I think it's better to use these binaries than the link I previously provided. You can find it here

score 2 · Answer 4 · answered May 10 '11 at 17:29

2

The best and fastest way to go is to use SplitCap, which can split large packet dump files based on sessions for example. This way you'd get each TCP session in a separate PCAP file. SplitCap can also separate packets into pcap files based on IP addresses.

You can read more about SplitCap on the Netresec blog: http://www.netresec.com/?page=Blog&month=2011-05&post=Split-or-filter-your-PCAP-files-with-SplitCap

Download SplitCap from here: http://www.netresec.com/?page=SplitCap

Good luck!

answered May 10 '11 at 17:29

Netresec

21
2

Are there any linux versions ? – ychaouche Dec 29 '14 at 09:13
This is a nice program, put it lacks the capability to work with pcapng files. – Guntram Blohm Sep 22 '15 at 08:30

score 0 · Answer 5 · edited Jul 16 '19 at 21:59

0

tcpdump -w trace.pcap -W 48 -G 300 -C 100 -i any port 41110

-G 300 it will rotate in 5 minutes
-W 48 count of files
-C 100 file size 100 MB
port you can specify the port based on the application

edited Jul 16 '19 at 21:59

kubanczyk

13,502
5
40
55

answered Jul 16 '19 at 14:01

user531905

1

how to split a pcap file into a set of smaller ones

5 Answers5

Linked