tool for splitting pcap files by TCP connection? [closed]

linux command-line-interface tcp pcap

You can also use PcapSplitter which is part of the PcapPlusPlus package. It does exactly what you need (which is splitting pcap files by TCP or UDP connection), it's multi-platform and it doesn't have a limit on the number of connections in the original file (so you can use it to split a large pcap file containing thousands of connections or even more). The link above is for the source code, but if you want a compiled binary - here is a link for binaries I made for several platforms

EDIT: apparently a new version of PcapPlusPlus was released and it contains PcapSplitter binaries for quite a lot of platforms (Windows, Ubuntu 12.04/14.04, Mac OSX Mavericks/Yosemite/El Captian). I think it's better to use these binaries than the link I previously provided. You can find it here


You can use tcpdump to extract the portions of the pcap that you want... suppose you're looking for packets in a socket connection between TCP/55777 on one host and TCP/80 on another. Your source file is bigfile.pcap, which is a sniffer dump of many HTTP sessions to the web host in question...

tcpdump -r bigfile.pcap -w session.pcap -s0 tcp and port 55777

That will pull all the packets going to and from TCP/55777 in bigfile.pcap and copy them into session.pcap.

Related

ia32-libs : Depends: ia32-libs-i386 but it is not installable
command line - switch to administrator mode
How to tell what version of puppet you are running on centos?
How to SSH to ec2 instance in VPC private subnet via NAT server
What Does a Layer 3,4 Firewall do that a Layer 7 Does Not?
How to run nginx SSL on non-standard port
Bootable Windows Server 2016 USB Drive
Good free Helpdesk software? [closed]
Ubuntu get PostGreSQL running
How to set the hostname for a Debian Jessie system?
Ansible with_items doesn't print whole item?
Where does the LOCAL SYSTEM account store its "personal" files? [duplicate]