This is a static archive of our old Q&A Site. Please post any new questions and answers at

separate flow base packet


hello, I have a pcap file and I am going to separate flow base packet ( and save them on file optionally) then separate request and response packet ( and save them on file) I use Linux. Is there any app or method to do this ? thanks

This question is marked "community wiki".

asked 15 Jul '14, 03:08

mhch's gravatar image

accept rate: 0%

2 Answers:


You can use tcpflow on Linux

or tcpick

Or another tools from the following list

On Windows there is SplitCap

And finally, you can also use tshark

tshark -nr input.pcap -Y " eq 1" -w stream1.pcap


answered 15 Jul '14, 03:16

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%

I used tcpflow and separated flows but yet I have problem by response/request separation Can you help me ? thanks

(16 Jul '14, 03:00) mhch

request/response of which protocol?

(16 Jul '14, 07:51) Kurt Knochner ♦

Thanks Kurt Knochner I have a pcap file that include every protocol like ftp http https and so on. I going to separate every flows and then separate every responses and requests.

(19 Jul '14, 22:03) mhch


I wrote a script with bash and used tcpflow in my script this is my script : set -vx read -p "where is your pcap file ? " pcap tcpflow -a -o /tmp/outdir -r $pcap ls /tmp/outdir>/tmp/list while read line do P1=echo $line|cut -d "-" -f 1 P2=echo $line|cut -d "-" -f 2 if [ -d $P1-$P2 ] || [ -d $P2-$P1 ] then continue else mkdir -p $P1-$P2/$P1 mkdir -p $P1-$P2/$P2 fi find $packets -name "$P1-$P2" -exec mv {} $P1-$P2/$P1 \; find $packets -name "$P2-$P1" -exec mv {} $P1-$P2/$P2 \; done</tmp/list set +vx

answered 27 Jul '14, 01:39

mhch's gravatar image

accept rate: 0%