2
votes

I have a scenario in where I have a big chunk PCAP file contains different flows (that share source IP and port, destination IP and source and TCP/UDP).

I am wondering if I can use tshark to split this big pcap file into different pcap files flows. each PCAP file contains a single flow.

I found this code, but it works for TCP connections

for stream in tshark -r ~/Downloads/http.cap -T fields -e tcp.stream | sort -n | uniq

do

echo $stream

tshark -r ~/Downloads/http.cap -w stream-$stream.cap -R "tcp.stream==$stream"

done

I am looking in how to split UDP connections?

Many thanks for your help in advance. Mike

2

2 Answers

2
votes

SplitCap is your friend.
SplitCap is an open source pcap file splitter. By default it splits a pcap into multiple files based on UDP and TCP sessions. The output is one file per session.
$ splitcap -r yourfile.pcap

You can read more tips en trics in my article about SplitCap and TShark

0
votes

Splitcap works using the -y L7 flag but this can also be done with tshark as follows:

tshark -r http.cap -T fields -e data | xxd -r -p > out.bin

Piping tshark's output to xxd is necessary as the output from tshark is in hex. And you'll probably want to filter by host (using -R or -Y flags) on tshark so you end up with contiguous data output.