How to Break Up Large tcpdump Files

Question

Is there something that can break up tcpdump file after the captuure and make sure the breaks are on the border of packet data?

Like -C but after the fact.

is it because the files are too big or that you want them easier to read? — djangofan, Mar 18 '10 at 15:50
djangofan: To big, When I load them into wireshark it faults because it can't allocate the memory. Only grabbing the default 96 snap, but they are for whole days. — Kyle Brandt, Mar 18 '10 at 17:44

score 9 · Accepted Answer · answered Mar 18 '10 at 13:24

I've used editcap in the past, with great success.

editcap -c 1000 large-in.pcap smaller-out

That command should generate one or more files named smaller-out-00000, smaller-out-00001 and so on, containing the firs, second, etc thousand packets from the input file.

score 4 · Answer 2 · answered Mar 18 '10 at 15:41

4

TCPSplit will do this. It even makes sure that you don't lose TCP sessions in the break.

answered Mar 18 '10 at 15:41

Bill Weiss

11,089

I've used tcpsplit for files up to 40GB, and it worked great. – Scott Pack Mar 18 '10 at 18:33

score 3 · Answer 3 · answered Mar 18 '10 at 13:25

3

You can use editcap to do split based on number of packets (or time range), or if you really need to split based on size, try this script.

answered Mar 18 '10 at 13:25

James

7,701

score 1 · Answer 4 · answered Mar 18 '10 at 12:04

1

Have you looked at csplit?

answered Mar 18 '10 at 12:04

Dennis Williamson

62,879

csplit isn't very useful on binary files... – James Mar 18 '10 at 13:28

score 1 · Answer 5 · answered Mar 18 '10 at 15:02

1

To simply split to a manageable size, you should be able to do it with tcpdump itself, using -C, -w and -r options. but I have not tried it.

answered Mar 18 '10 at 15:02

Dan Andreatta

5,504

How to Break Up Large tcpdump Files

5 Answers5