How do I get a specific range of packets from a large pcap file with tcpdump?

It is quite simple using editcap that comes along with Wireshark (at least on CentOS and Debian). For the 5,000,000 to 5,000,020 packet numbers, you can do:

editcap -r <big_pcap_file> <new_pcap_file> 5000000-5000020

You can just use tshark like,

$ tshark -r <pcapfile> -Y "frame.number >= 3 && frame.number <= 5" -w <output-pcapfile>

Eg:-

$ tshark -r mae1_799.pcap -Y "frame.number >= 3 && frame.number <= 5"
3   0.000426 192.168.31.86 → 192.168.31.55 SCTP 64 SACK 
4   0.011255 192.168.60.55 → 192.168.201.55 TCP 68 80 → 53917 [ACK] Seq=1 Ack=1 Win=237 Len=0 TSval=3820568953 TSecr=1221428662
5   0.015323 192.168.12.3 → 192.168.12.2 SCTP 76 HEARTBEAT

You can write to a new file using the -w option,

$ tshark -r mae1_799.pcap -Y "frame.number >= 3 && frame.number <= 5" -w new.pcap

And make sure you have the required packets,

$ tcpdump -r new.pcap 
reading from file new.pcap, link-type LINUX_SLL (Linux cooked)
10:22:00.076746 IP 192.168.31.86.2905 > 192.168.31.55.2905: sctp (1) [SACK] [cum ack 661849925] [a_rwnd 102400] [#gap acks 0] [#dup tsns 0] 
10:22:00.087575 IP 192.168.60.55.http > 192.168.201.55.53917: Flags [.], ack 1035058538, win 237, options [nop,nop,TS val 3820568953 ecr 1221428662], length 0
10:22:00.091643 IP 192.168.12.3.2009 > 192.168.12.2.2008: sctp (1) [HB REQ]

As of Wireshark 2.6.0 Release, you can use the membership operator for range like frame.number in {start..end},

$ tshark -r mae1_799.pcap -Y "frame.number in {3..5}"
3   0.000426 192.168.31.86 → 192.168.31.55 SCTP 64 SACK 
4   0.011255 192.168.60.55 → 192.168.201.55 TCP 68 80 → 53917 [ACK] Seq=1 Ack=1 Win=237 Len=0 TSval=3820568953 TSecr=1221428662
5   0.015323 192.168.12.3 → 192.168.12.2 SCTP 76 HEARTBEAT

Write to a file:

$ tshark -r mae1_799.pcap -Y "frame.number in {3..5}" -w new.pcap

You can use a small program named tricap. Tricap is part of Xplico. The source code can be donwload also from here: https://github.com/M0Rf30/xplico/tree/master/system/trigcap


You pose a very interesting question (at least to me!), so I started researching for an answer.

I was somewhat surprised to see that the tcpdump man page and docs do not include any mention of packet number, which I would have thought it would for use with the -r option (reading from pcap file). I'm starting to think that the pcap output file does NOT include a packet number?

I do know that if you load it into Wireshark, you WILL see a packet number in the leftmost column, but since you're talking about a 100Gb file I did not want to suggest you load it into Wireshark (maybe Wireshark on a Linux server can deal with that? Dunno...)

Anyways, I came across editcap, which I have not used in the past but is a command-line tool that is part of Wireshark. editcap does allow you to specify packet number or packet number range. So this made me think that maybe packet number is just a Wireshark thing, and that pcap files just stores the packets without caring about labeling any order numbers?

editcap - man page: http://www.wireshark.org/docs/man-pages/editcap.html

editcap - user guide: http://www.wireshark.org/docs/wsug_html_chunked/AppToolseditcap.html

Be careful since it seems that editcap main function is to remove packets (duplicates), so watch out for any default behaviors there!

Hope this helps, and if anybody has more light to shed on this I'd love to hear it!

Tags:

Tcpdump

Recent Posts