how to split a pcap file into a set of smaller ones

Solution 1:

You can use tcpdump itself with the -C, -r and -w options

tcpdump -r old_file -w new_files -C 10

The "-C" option specifies the size of the file to split into. Eg: In the above case new files size will be 10 million bytes each.

Solution 2:

Use the editcap utility which is distributed with Wireshark.

---

Solution 3:

I know this answer is a little late, but it may serve other people as well. I found a great tool for splitting pcap files: PcapSplitter. It's part of the PcapPlusPlus library which means it's cross-platform (Win32, Linux and Mac OS), and it can split pcap files based on different criteria such as file size (what you seem to need) but also by connection, client/server IP, server port (similar to protocol), packet count, etc. I found it very useful. The link above is for the source code, but if you don't want/know how to compile, I created compiled binaries for several platforms I've been using this tool with. I recommend this tool very much

EDIT: apparently a new version of PcapPlusPlus was released and it contains PcapSplitter binaries for quite a lot of platforms (Windows, Ubuntu 12.04/14.04, Mac OSX Mavericks/Yosemite/El Captian). I think it's better to use these binaries than the link I previously provided. You can find it here

---

Solution 4:

The best and fastest way to go is to use SplitCap, which can split large packet dump files based on sessions for example. This way you'd get each TCP session in a separate PCAP file. SplitCap can also separate packets into pcap files based on IP addresses.

You can read more about SplitCap on the Netresec blog: http://www.netresec.com/?page=Blog&month=2011-05&post=Split-or-filter-your-PCAP-files-with-SplitCap

Download SplitCap from here: http://www.netresec.com/?page=SplitCap

Good luck!