0

I got .pcap files that need to be split into time intervals (eg: 1 sec). That means for example the first set of packets that arrived in first 1 second, then next set of packets arrived in the next 1 sec so on.. When I use the below python (3.7) code the files gets split. But the ‘time delta from previous displayed frame’ value is different in all the split files. It gets assigned to zero. The time delta of other packets are correct. Only the first packet of all the split files is different. I need the split files to have the same values as original file. How can I change my python code to split the .pcap files and to get the same values as the original file. Is there any other way than using editcap?

    import os
    startdir='.'
    for root, dirs, files in os.walk(startdir):
      for file in files:
        if file.endswith('.pcap'):
          filename=os.path.join(root,file)
          cmd = 'editcap -i 1 "{}" "{}"'.format(filename,filename)
          os.system(cmd)
user3535695
  • 75
  • 2
  • 12
  • When you split the capture file into multiple files, the 1st packet of each file will always have a delta time from the previous packet of 0 because there are no previous packets. By splitting packets into different files, there is no longer any correlation between the last packet of the previous file and the first packet of the next file. If you require correct delta times between packets, then you can't split them; they must all be part of the same file. – Christopher Maynard Jul 08 '19 at 14:54
  • would it be possible to separate .pcap file into separate .pcap files based on a given time interval. without using editcap tool? by using a python script? – user3535695 Jul 08 '19 at 15:14
  • If there is, I wouldn't know how. In any case, it wouldn't help with the delta times. Delta times are not stored in pcap files; they're interpreted by the packet analysis tools based on the timestamps of the packets, so nothing you do when splitting packets into multiple files will yield a non-zero delta time for the 1st packet of any capture file. – Christopher Maynard Jul 08 '19 at 16:14
  • @ChristopherMaynard Okay Thanks. Editcap -i only accepts seconds. How can we give a millisecond value? Not accepting decimal values even. Any help please? – user3535695 Jul 12 '19 at 10:23

1 Answers1

0

You can use editcap and it does accept floating point values (e.g. 0.5):

editcap -i <seconds per file> <input_file> <output_file_format>

More details here - https://www.wireshark.org/docs/man-pages/editcap.html

Umakant
  • 2,106
  • 1
  • 7
  • 12