tool for splitting pcap files by TCP connection?

Solution 1:

You can use tcpdump to extract the portions of the pcap that you want... suppose you're looking for packets in a socket connection between TCP/55777 on one host and TCP/80 on another. Your source file is bigfile.pcap, which is a sniffer dump of many HTTP sessions to the web host in question...

tcpdump -r bigfile.pcap -w session.pcap -s0 tcp and port 55777

That will pull all the packets going to and from TCP/55777 in bigfile.pcap and copy them into session.pcap.

Solution 2:

You can also use PcapSplitter which is part of the PcapPlusPlus package. It does exactly what you need (which is splitting pcap files by TCP or UDP connection), it's multi-platform and it doesn't have a limit on the number of connections in the original file (so you can use it to split a large pcap file containing thousands of connections or even more). The link above is for the source code, but if you want a compiled binary - here is a link for binaries I made for several platforms

EDIT: apparently a new version of PcapPlusPlus was released and it contains PcapSplitter binaries for quite a lot of platforms (Windows, Ubuntu 12.04/14.04, Mac OSX Mavericks/Yosemite/El Captian). I think it's better to use these binaries than the link I previously provided. You can find it here

Solution 3:

tcpflow is what you want - splits pcaps into one file per TCP session

http://www.circlemud.org/jelson/software/tcpflow/

Solution 4:

A bit overkill, but using tshark (shipped with wireshark), you could do with zsh:

file=file.pcap
tshark -Tfields -e tcp.stream \
                -e frame.time_epoch \
                -e ip.src \
                -e tcp.srcport \
                -e ip.dst \
                -e tcp.dstport -r $file |
  sort -snu |
  while read -A f; do 
    tshark -r $file -2R "tcp.stream == $f[1]" -w ${(j:-:)f[2,-1]}.pcap
  done

Which generates files named like 1509466312.202450000-10.0.0.1-58892-10.0.0.2-80.pcap (based on the first packet seen for each connection).

Solution 5:

There seems to be this tool which might work (I haven't used it personally)

http://www.netresec.com/?page=SplitCap (windows based)

SplitCap is a free (as in beer) open source pcap file splitter. SplitCap splits one big pcap file into multiple files based on TCP and UDP sessions, one pcap file per session. SplitCap can also be used to split a pcap file into one pcap file per host-pair instead of session.

Tags:

Linux

Command Line Interface

Tcp

Pcap

Recent Posts