Tcpdump maximum split file size

I refer to this thread : how to split a pcap file into a set of smaller ones

I have tried to use the command tcpdump -r old_file -w new_files -C 4096 and tcpdump returns tcpdump: invalid file size 4096

So far I have tested until 2048 (x1,000,000 bytes) and it successfully split files into 2GB each for a large pcap file. Is there anyway, to split a large pcap file (eg 20GB) into a smaller files with 4GB each?

Unless you're willing to change the source and recompile you're not going to get tcpdump to do it natively.

case 'C':
        Cflag = atoi(optarg) * 1000000;
        if (Cflag < 0)
            error("invalid file size %s", optarg);
        break;

You would need to find and modify the type of CFlags. That though may lead to other unexpected issues.

You could try splitting it into 2GB chunks and then removing the 20 byte file header from the second file of each pair (dd seek is your friend) then use cat to concatenate the 2 files together.

There's a patch available for tcpdump in its Github repository, see issue #488. Applying the patch and compiling is really easy if you follow the instructions described in the INSTALL.txt (see repository's root directory).

Alternatively you can also use the library PcapPlusPlus. In its github repository there's an example for an PcapSplitter which does exactly the same as tcpdump -C. However, you as well need to compile it before you can use it. But there's a Makefile available.

Tcpdump maximum split file size

Related

Recent Posts