lost and found ( for me ? )

small tips : How to split a pcap file with editcap


Here's a small tip of how to split a pcap file by using editcap command which includes wireshark.

Here’s an excerpt of “man editcap”.
      -c  <packets per file>
          Sets the maximum number of packets per output file. Each output
          file will be created with a suffix -nnnnn, starting with 00000. If
          the specified number of packets are written to the output file, the
          next output file is opened. The default is to use a single output
          file.

[ example ]

split the pcap file ( large.pcap ) per 10,000 packets.
# editcap -c 10000 large.pcap 10000packets-out

# ls 10000packets-out-0* | head -5
10000packets-out-00000
10000packets-out-00001
10000packets-out-00002
10000packets-out-00003
10000packets-out-00004

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.