TShark and SplitCap
SplitCap is a great tool, but if you have a large capture file you end up with a lot of output files.
Sample capture file SIP_CALL_RTP_G711 (rename the file to SIP_CALL_RTP_G711.pcap).
TShark
Run this command to get an overview of the tcp and udp conversations:
$ tshark –r SIP_CALL_RTP_G711.pcap –q –z conv,tcp –z conv,udp
SplitCap
You can use the overview to build your filter for SplitCap. You can filter on ip addresses and/or port numbers to split the file.
You can use the option –s nosplit to create a single output file.
Here are some examples:
$ splitcap -r SIP_CALL_RTP_G711.pcap -port 23 -port 110
$ splitcap -r SIP_CALL_RTP_G711.pcap -port 23 -port 110 -s nosplit
$ splitcap -r SIP_CALL_RTP_G711.pcap -ip 200.73.183.213 -port 110 –s nosplit
$ splitcap -r SIP_CALL_RTP_G711.pcap -ip 200.57.7.204 –s nosplit
answered
21 Dec '11, 15:50
joke
1.3k●4●9●34
accept rate:
9%