10

I've got a huge pcap file (100GB) and I'm interested in a small number of packets which I know are numbers 5,000,000 to 5,000,020.

How can I use tcpdump to read a pcap file, filter out packets by packet number (or range), and then write them out to a new pcap file?

growse
  • 3,554
  • 9
  • 43
  • 66

5 Answers5

17

It is quite simple using editcap that comes along with Wireshark (at least on CentOS and Debian). For the 5,000,000 to 5,000,020 packet numbers, you can do:

editcap -r <big_pcap_file> <new_pcap_file> 5000000-5000020
pdp
  • 4,117
  • 1
  • 17
  • 20
  • If someone is having trouble with the resulting PCAP file (e.g. tshark complaining "That string isn't a valid capture filter (syntax error)."), another option would be to use tshark with a filter: `tshark -r input.pcap -Y 'frame.number >= 5000000 and frame.number <= 5000020' -w output.pcap -F pcap` – ctitze Mar 20 '18 at 15:48
4

You can just use tshark like,

$ tshark -r <pcapfile> -Y "frame.number >= 3 && frame.number <= 5" -w <output-pcapfile>

Eg:-

$ tshark -r mae1_799.pcap -Y "frame.number >= 3 && frame.number <= 5"
3   0.000426 192.168.31.86 → 192.168.31.55 SCTP 64 SACK 
4   0.011255 192.168.60.55 → 192.168.201.55 TCP 68 80 → 53917 [ACK] Seq=1 Ack=1 Win=237 Len=0 TSval=3820568953 TSecr=1221428662
5   0.015323 192.168.12.3 → 192.168.12.2 SCTP 76 HEARTBEAT

You can write to a new file using the -w option,

$ tshark -r mae1_799.pcap -Y "frame.number >= 3 && frame.number <= 5" -w new.pcap

And make sure you have the required packets,

$ tcpdump -r new.pcap 
reading from file new.pcap, link-type LINUX_SLL (Linux cooked)
10:22:00.076746 IP 192.168.31.86.2905 > 192.168.31.55.2905: sctp (1) [SACK] [cum ack 661849925] [a_rwnd 102400] [#gap acks 0] [#dup tsns 0] 
10:22:00.087575 IP 192.168.60.55.http > 192.168.201.55.53917: Flags [.], ack 1035058538, win 237, options [nop,nop,TS val 3820568953 ecr 1221428662], length 0
10:22:00.091643 IP 192.168.12.3.2009 > 192.168.12.2.2008: sctp (1) [HB REQ]

As of Wireshark 2.6.0 Release, you can use the membership operator for range like frame.number in {start..end},

$ tshark -r mae1_799.pcap -Y "frame.number in {3..5}"
3   0.000426 192.168.31.86 → 192.168.31.55 SCTP 64 SACK 
4   0.011255 192.168.60.55 → 192.168.201.55 TCP 68 80 → 53917 [ACK] Seq=1 Ack=1 Win=237 Len=0 TSval=3820568953 TSecr=1221428662
5   0.015323 192.168.12.3 → 192.168.12.2 SCTP 76 HEARTBEAT

Write to a file:

$ tshark -r mae1_799.pcap -Y "frame.number in {3..5}" -w new.pcap
han solo
  • 6,390
  • 1
  • 15
  • 19
3

You can use a small program named tricap. Tricap is part of Xplico. The source code can be donwload also from here: https://github.com/M0Rf30/xplico/tree/master/system/trigcap

Gianluca Costa
  • 476
  • 4
  • 6
1

You pose a very interesting question (at least to me!), so I started researching for an answer.

I was somewhat surprised to see that the tcpdump man page and docs do not include any mention of packet number, which I would have thought it would for use with the -r option (reading from pcap file). I'm starting to think that the pcap output file does NOT include a packet number?

I do know that if you load it into Wireshark, you WILL see a packet number in the leftmost column, but since you're talking about a 100Gb file I did not want to suggest you load it into Wireshark (maybe Wireshark on a Linux server can deal with that? Dunno...)

Anyways, I came across editcap, which I have not used in the past but is a command-line tool that is part of Wireshark. editcap does allow you to specify packet number or packet number range. So this made me think that maybe packet number is just a Wireshark thing, and that pcap files just stores the packets without caring about labeling any order numbers?

editcap - man page: http://www.wireshark.org/docs/man-pages/editcap.html

editcap - user guide: http://www.wireshark.org/docs/wsug_html_chunked/AppToolseditcap.html

Be careful since it seems that editcap main function is to remove packets (duplicates), so watch out for any default behaviors there!

Hope this helps, and if anybody has more light to shed on this I'd love to hear it!

James
  • 1,186
  • 9
  • 14
1

There is not easy way to do this, there are a couple ways to mitigate the size of the file, as well as prevent such big files. Here are a couple of work arounds:

tcpdump -r infile apply filters -w outfile

Example: 

tcpdump -r firstcap.pcap -nn host 192.168.1.177 -w 177file.pcap

With this filter you will parse out all the packets that contain the host 192.168.1.177 to a new pcap file called 177file.pcap; you can also specify protocols like tcp, udp, icmp, and arp, and parse out those packets into a separate file.

I'm not sure you can get a specific range easily, there is a work around way where you use head and tail to zero in on a specific set of lines:

For Example:

Lets say you want lines 400-500 in a 1000 packet file:

tcpdump -r firstcap.pcap -c 500 | tail -100 >> outfile.txt

This will print the first 500 packets, and then pipe that output to tail which will just show the last 100 packets of the 500 packet capture, so effectively 400-500. Then you are just appending said packerts in ASCII to outfile.txt, ie its not in pcap format anymore.

NOTE: It is very important to note that tail prints the last N number of lines NOT packets, so if you are showing the packets in hex format you'd have to take that into account in your calculation.

To avoid creating huge pcap files you can rotate a capture quite easily with tcpdump, I wrote about it here:

http://www.ppartyka.com/2014/03/tutorial-tcpdump-pcap-file-too-large.html

Hope this helps.

Peter Party Bus
  • 2,326
  • 1
  • 14
  • 15