How to split a PCAP file based off time column with editcap?

Question

I have a PCAP file I exported from wireshark that's rather large. The PCAP looks as follows:

No. Time    Source  Destination Protocol    Length  Info
1   0   192.168.100.180 8.8.8.8 DNS 95  Standard query 0xf948 A detectportal.firefox.com OPT
2   0.000159827 192.168.100.180 8.8.8.8 DNS 95  Standard query 0xaf8a AAAA detectportal.firefox.com OPT
3   0.002743676 8.8.8.8 192.168.100.180 DNS 206 Standard query response 0xf948 A detectportal.firefox.com CNAME detectportal.prod.mozaws.net CNAME prod.detectportal.prod.cloudops.mozgcp.net A 34.107.221.82 OPT
4   0.002774349 8.8.8.8 192.168.100.180 DNS 218 Standard query response 0xaf8a AAAA detectportal.firefox.com CNAME detectportal.prod.mozaws.net CNAME prod.detectportal.prod.cloudops.mozgcp.net AAAA 2600:1901:0:38d7:: OPT
12  0.168337688 192.168.100.180 8.8.8.8 DNS 82  Standard query 0x6b67 A mozilla.org OPT
13  0.170840019 8.8.8.8 192.168.100.180 DNS 98  Standard query response 0x6b67 A mozilla.org A 63.245.208.195 OPT
14  0.201381247 192.168.100.180 8.8.8.8 DNS 82  Standard query 0xce22 AAAA

...

I want to split the PCAP file into 10 smaller PCAPs based on the time column. Basically, 10 PCAP files, each file spanning about 50 seconds.

I think editcap may help me, but I'm not sure what the proper command would be. (Never even heard of editcap until ~2 days ago lol)

Answer 1

You can use editcap as below:

editcap -i <seconds per file> <input_file> <output_file_format>

More details here - https://www.wireshark.org/docs/man-pages/editcap.html