19

Is there tool to split a packet capture file (in pcap format) into separate files for each TCP connection ? (other than a home grown shell script which probably needs to run twice over the capture...). Something like wireshark's 'follow TCP stream' but for the command line (I'm afraid wireshark will consume a large amount of memory when displaying a 700 MB packet capture)

I looked at tcpflow but it seems to produce files much larger than the original pcap files and they seem not to be in pcap format.

Andre Holzner
  • 529
  • 2
  • 4
  • 14
  • The files that result from tcpflow are not pcaps, they are the actual tcp payloads of the tcp streams. – chris Aug 23 '14 at 05:06

6 Answers6

10

You can use tcpdump to extract the portions of the pcap that you want... suppose you're looking for packets in a socket connection between TCP/55777 on one host and TCP/80 on another. Your source file is bigfile.pcap, which is a sniffer dump of many HTTP sessions to the web host in question...

tcpdump -r bigfile.pcap -w session.pcap -s0 tcp and port 55777

That will pull all the packets going to and from TCP/55777 in bigfile.pcap and copy them into session.pcap.

Mike Pennington
  • 8,266
  • 9
  • 41
  • 86
10

You can also use PcapSplitter which is part of the PcapPlusPlus package. It does exactly what you need (which is splitting pcap files by TCP or UDP connection), it's multi-platform and it doesn't have a limit on the number of connections in the original file (so you can use it to split a large pcap file containing thousands of connections or even more). The link above is for the source code, but if you want a compiled binary - here is a link for binaries I made for several platforms

EDIT: apparently a new version of PcapPlusPlus was released and it contains PcapSplitter binaries for quite a lot of platforms (Windows, Ubuntu 12.04/14.04, Mac OSX Mavericks/Yosemite/El Captian). I think it's better to use these binaries than the link I previously provided. You can find it here

seladb
  • 408
  • 4
  • 12
6

tcpflow is what you want - splits pcaps into one file per TCP session

http://www.circlemud.org/jelson/software/tcpflow/

Sam
  • 399
  • 3
  • 3
5

A bit overkill, but using tshark (shipped with wireshark), you could do with zsh:

file=file.pcap
tshark -Tfields -e tcp.stream \
                -e frame.time_epoch \
                -e ip.src \
                -e tcp.srcport \
                -e ip.dst \
                -e tcp.dstport -r $file |
  sort -snu |
  while read -A f; do 
    tshark -r $file -2R "tcp.stream == $f[1]" -w ${(j:-:)f[2,-1]}.pcap
  done

Which generates files named like 1509466312.202450000-10.0.0.1-58892-10.0.0.2-80.pcap (based on the first packet seen for each connection).

sch
  • 560
  • 4
  • 13
2

There seems to be this tool which might work (I haven't used it personally)

http://www.netresec.com/?page=SplitCap (windows based)

SplitCap is a free (as in beer) open source pcap file splitter. SplitCap splits one big pcap file into multiple files based on TCP and UDP sessions, one pcap file per session. SplitCap can also be used to split a pcap file into one pcap file per host-pair instead of session.

freethinker
  • 336
  • 1
  • 8
1

inspired by @sch here is a bash version:

file=cap.pcap
$tshark -Tfields -e tcp.stream \
                -e frame.time_epoch \
                -e ip.src \
                -e tcp.srcport \
                -e ip.dst \
                -e tcp.dstport -r $file |
  sort -snu |
  while read -a f; do 
  [[ "${f[5]}" ]] || continue  # sometimes there is no stream number ex. UDP
  fileout=$(echo ${f[0]}__${f[1]}__${f[2]}__${f[3]}__${f[4]}__${f[5]} | tr -d '\r'  )
    $tshark -r $file -2R "tcp.stream == ${f[0]}" -w "$fileout.pcap"
  done
read

the filename will be like that: stream number__time__source IP__port__destination IP__port.pcap

tr -d '\r' is for windows users, because tshark in windows output CR LF.

Edit:

this solution with tshark is so slow but sure. SplitCap is super fast but when there is an error in some packet it crashes, while tshark only inform you about the error but continue :

tshark: The file "cap.pcap" appears to have been cut short in the middle of a packet.

and finally there is PcapSplitter which is super fast too but it need the winpcap driver, it doesn't work with the npcap driver in windows.

But there is a solution to SplitCap: using pcapfix I can fix the corrupt packets then SplitCap never crashes again. and this is what I m using now, because tshark is so slow in spliting.

and a solution to PcapSplitter I did was injecting the winpcap dll using any method but while we have SplitCap why do it?

Community
  • 1
Badr Elmers
  • 256
  • 2
  • 6