Is it possible to split PCAPS into multiple files bases on simple criteria

Question

Origional.pcap {split on port 80} which generates the 2 following files

all_port_80.pcap
everything_else.pcap

Or would it be easier to create multiple different tcpdumps that match my criteria

Thanks

score 5 · Accepted Answer · answered Jan 28 '14 at 21:54

5

Just use tcpdump to read from your capture file and write out a new file:

tcpdump -r all.pcap -w port80.pcap port 80 
tcpdump -r all.pcap -w other.pcap ! port 80

answered Jan 28 '14 at 21:54

Evan Anderson

141,881
20
196
331

Evan that is exactly what I was looking for that is awesome. – tkrabec Jan 29 '14 at 13:40

score 1 · Answer 2 · answered Nov 12 '16 at 18:19

Another option is to use PcapSplitter which is part of the PcapPlusPlus suite. You didn't specify the OS you're interested in but PcapSplitter works in both Windows, Linux and Mac OS X. You can use it as follows:

PcapSplitter -f all.pcap -o D:\Output -m bpf-filter -p "port 80"

It'll output two files: all-0000.pcap will contain port 80 packets and all-0001.pcap will contain the rest of the packets

Apparently the latest release of PcapPlusPlus doesn't contain this feature so you'll have to compile it yourself from source

Is it possible to split PCAPS into multiple files bases on simple criteria

2 Answers2