This is a static archive of our old Q&A Site. Please post any new questions and answers at

Extract syn packets from massive pcap file


Hi I'm trying to baseline SYN rates on our network. I have a 145GB pcap and I'm trying to use tshark to extract them.

tshark -Y tcp[13]==02 -r "reallybigpcap.cap" -w syns.pcap

This eventually fails with an failed to allocate memory error. I think it's trying to load the whole file into ram and fails.

Can anyone suggest another tool that can do what I want ?

asked 17 Mar '15, 07:30

20fathoms's gravatar image

accept rate: 0%

thanks all!

(18 Mar '15, 13:05) 20fathoms

If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(18 Mar '15, 16:03) grahamb ♦

2 Answers:


You might first try truncating the file to only the first 66 bytes (IPv4) to limit the amount of additional protocol decoding that tshark needs to do. Use editcap to create a new file.

editcap -s 66 reallybigcap.cap newsmallercap.cap

This will only grab the bytes up through the IPv4 header in each packet. Then, re-try your tshark command with the "newsmallercap.cap" file. Tshark will still use up memory, but hopefully less than before.

If there's a better way, please let me know too!

answered 17 Mar '15, 11:08

zachad's gravatar image

accept rate: 21%


You can use tcpdump or windump for this purpose as it does not keep (as much) state (as tshark). If the file is still too big to process, you can use editcap to split it into chunks and then process each chunk and then merge the filtered parts back to one file with mergecap.

Editcap and mergecap came with wireshark and tcpdump/windump are separate programs.

answered 17 Mar '15, 12:05

SYN-bit's gravatar image

SYN-bit ♦♦
accept rate: 20%

I wonder if this is a good use case for enhancing dumpcap to be able to read capture files?

By the way, I'll just mention another possible method for getting information from a big file. It involves the use of tail, rawshark and grep. Admittedly, it's sort of a hack, and you can't save the resulting packets to a new file, but it might be useful to someone:

tail -c +25 file.pcap | rawshark -d encap:EN10MB -F field1 -F field2 ... -F fieldn -R "tcp.flags.syn == 1" -r - | grep "1 \-$"

(19 Mar '15, 14:44) cmaynard ♦♦

I would rather see editcap extended with capture filter capabilities, seems like a more logical place :-)

(19 Mar '15, 15:42) SYN-bit ♦♦