I have a scenario in where I have a big chunk PCAP file contains different flows (that share source IP and port, destination IP and source and TCP/UDP).
I am wondering if I can use tshark to split this big pcap file into different pcap files flows. each PCAP file contains a single flow.
I found this code, but it works for TCP connections
for stream in tshark -r ~/Downloads/http.cap -T fields -e tcp.stream | sort -n | uniq
do
echo $stream
tshark -r ~/Downloads/http.cap -w stream-$stream.cap -R "tcp.stream==$stream"
done
I am looking in how to split UDP connections?
Many thanks for your help in advance. Mike