tool for splitting pcap files by TCP connection? [closed]
You can also use PcapSplitter which is part of the PcapPlusPlus package. It does exactly what you need (which is splitting pcap files by TCP or UDP connection), it's multi-platform and it doesn't have a limit on the number of connections in the original file (so you can use it to split a large pcap file containing thousands of connections or even more). The link above is for the source code, but if you want a compiled binary - here is a link for binaries I made for several platforms
EDIT: apparently a new version of PcapPlusPlus was released and it contains PcapSplitter binaries for quite a lot of platforms (Windows, Ubuntu 12.04/14.04, Mac OSX Mavericks/Yosemite/El Captian). I think it's better to use these binaries than the link I previously provided. You can find it here
You can use tcpdump
to extract the portions of the pcap that you want... suppose you're looking for packets in a socket connection between TCP/55777 on one host and TCP/80 on another. Your source file is bigfile.pcap
, which is a sniffer dump of many HTTP sessions to the web host in question...
tcpdump -r bigfile.pcap -w session.pcap -s0 tcp and port 55777
That will pull all the packets going to and from TCP/55777 in bigfile.pcap
and copy them into session.pcap
.