This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how to split a .pcap file

0

there is a merge option in wireshark, but is there anything like to split a file into 2 parts which can be read using wireshark ?

asked 12 May '17, 11:04

w_keyboard's gravatar image

w_keyboard
6557
accept rate: 0%


2 Answers:

1

Editcap might do what you need: https://www.wireshark.org/docs/man-pages/editcap.html

Editcap is a program that reads some or all of the captured packets from the infile, optionally converts them in various ways and writes the resulting packets to the capture outfile (or outfiles).

By default, it reads all packets from the infile and writes them to the outfile in pcap file format.

An optional list of packet numbers can be specified on the command tail; individual packet numbers separated by whitespace and/or ranges of packet numbers can be specified as start-end, referring to all packets from start to end. By default the selected packets with those numbers will not be written to the capture file. If the -r flag is specified, the whole packet selection is reversed; in that case only the selected packets will be written to the capture file.

answered 12 May '17, 11:33

Bob%20Jones's gravatar image

Bob Jones
1.0k2515
accept rate: 21%

1

Aside from the 'editcap' command line utility, the 'File > Export Specified Packets' GUI in Wireshark is pretty flexible, and gives you some options for saving a capture file containing only part of an existing capture file.

For example, if I wanted to save "half" of the file, I might select the first packet, hit ctrl+m (to mark it), then do the same to the "middle" packet, and export the "first to last marked".

As another example, I might apply a display filter to show me just one protocol, or just one source/destination IP address, and export "all displayed". Then I could save "everything else" with a "!" added to the front of that filter if I wanted.

Since the "export specified packets" GUI lets you base it on display filters or markings, there's little you can't do there in terms of carving up a capture file.

Having said that, 'editcap' is efficient and can cut up files based on timestamps or frame numbers quite nicely. As always it really depends on your particular use case, and what specifically you want to do when you say you want to "split" the capture.

answered 12 May '17, 14:37

Quadratic's gravatar image

Quadratic
1.9k6928
accept rate: 13%