www.badpenguin.co.uk

tcpdump, ethereal, wireshark, snoop, etc all use the pcap file format for saving packet capture information. That means you can capture information from say OpenBSD PF and then analyse the data in wireshark. The only problem I find is that capture files can get huge and when that happens they are a real PITA to analyse.

 

That's why I wrote this perl script. It allows you to extract packets from a specified time period (using the timestamp in the packet header) out of a huge dump file and copy them into a new file that should be much smaller and much easier and faster to analyse. Alternatively you can use it to split the huge file into several smaller files of x MB each.

 

This should be useful to anyone analysing a network packet capture file. Rather than using filters to look at a 500MB file extract the packets for the time period you are interested in and just look at those! 

 

UPDATE 2006-11-08 - Now supports libpcap filter language (as seen in tcpdump)

 

The pcap utility has been improved and we can now extract packets from the source file using the libpcap filter language.

 

For Example: pcap-util filter infile.dump outfile.dump "host 10.10.10.10 and port 22"

 

 

We make use of the Net::Pcap module, which you can get from CPAN or if you are on a Debian distribution such as Ubuntu you can just "apt-get install libnet-pcap-perl" 

 

==> Download pcap-util

 

License; GNU GPL version 2

Copyright: Mark Boddington (C) 2006 

 

I had to call it pcap-util, because this server tries to process .pl and .pl.gz as CGI and generates an internal server error?!??!?!?!?!? Hmmmm, well moving swiftly on.....

 

mark@boxen:~$ ./pcap-util.pl

This utility will take a pcap file from a packet capture program like tcpdump
and split it into smaller parts to aid analysis. There are three options.

 1. You can split the file into several smaller ones of x bytes in length
 2. You can extract packets that fall within a specified time period
 3. You can extract packets that match a libpcap filter string.

Split into smaller files
------------------------
./pcap-util split <infile> <outfile prefix> <size in MB>

Extract packets from time period
--------------------------------
./pcap-util time <infile> <outfile> <Start time> <End time>

Extract packets using libpcap filter language
---------------------------------------------
./pcap-util filter <infile> <outfile> "libpcap filter string"


** Time format should be YYYY-MM-DD:hh:mm:ss **