5

I refer to this thread : how to split a pcap file into a set of smaller ones

I have tried to use the command tcpdump -r old_file -w new_files -C 4096 and tcpdump returns tcpdump: invalid file size 4096

So far I have tested until 2048 (x1,000,000 bytes) and it successfully split files into 2GB each for a large pcap file. Is there anyway, to split a large pcap file (eg 20GB) into a smaller files with 4GB each?

Community
  • 1
CheeHow
  • 161
  • 5
  • If you look at line 1005 in https://github.com/the-tcpdump-group/tcpdump/blob/8552a1a3ae41b460a5eccdfc607f91fcbc42ced7/tcpdump.c, you'll find the source of the error... CFlag seem to be declared as an `int`... It might be possible to patch `netdissect.h` to us an `unsigned int`, a `long` or `long long` (depending on the architecture) for it... The other options from the other question might not be limited by the size of an `int`? – Gert van den Berg Nov 28 '14 at 06:47

2 Answers2

3

Unless you're willing to change the source and recompile you're not going to get tcpdump to do it natively.

case 'C':
        Cflag = atoi(optarg) * 1000000;
        if (Cflag < 0)
            error("invalid file size %s", optarg);
        break;

You would need to find and modify the type of CFlags. That though may lead to other unexpected issues.

You could try splitting it into 2GB chunks and then removing the 20 byte file header from the second file of each pair (dd seek is your friend) then use cat to concatenate the 2 files together.

user9517
  • 114,104
  • 20
  • 206
  • 289
  • Thanks for the support out there for sourcing the cause of the issue. Though I have not tried on the source code, I find this may temporarily solve the issue. – CheeHow Nov 28 '14 at 07:11
  • `dd bs=20 seek=1` would indeed skip the first 20 bytes and copy the rest to stdout, but it would read the input 20 bytes at a time, which is not very efficient. Is there any way to get it to seek to position 20 and then read from there with a larger block size? – kasperd Nov 28 '14 at 07:34
  • @kasperd There are probably lots of ways of doing it but I wouldn't know how efficient for example `tail -c +N` would be in comparison. – user9517 Nov 28 '14 at 08:36
2

There's a patch available for tcpdump in its Github repository, see issue #488. Applying the patch and compiling is really easy if you follow the instructions described in the INSTALL.txt (see repository's root directory).

Alternatively you can also use the library PcapPlusPlus. In its github repository there's an example for an PcapSplitter which does exactly the same as tcpdump -C. However, you as well need to compile it before you can use it. But there's a Makefile available.

Patrick
  • 121
  • 5
  • thanks for the constructive way of splitting PCAP. I will try it out to see if it qualifies for an upgrade to my existing software :) cheers – CheeHow Nov 14 '16 at 05:49
  • If you want to use a compiled version of PcapSplitter you can find it [here](https://github.com/seladb/PcapPlusPlus/releases/tag/v16.09). There are compiled versions for Windows, Mac OS X and Ubuntu – seladb Dec 05 '16 at 19:56