Mar 28, 2011

How to Split Large Packet Capture Files on the Linux Operating System

Summary

This article describes how to split large packet capture files on the Linux operating system.

On occasion, you obtain packet captures that are too large for Wireshark to manage and you receive the following error message:

"Out Of Memory!

Sorry, but Wireshark has to terminate now!"

ap-util3.JPG

Option 1

An option to reduce the size of this file is to use a Perl script that is available for download from http://www.badpenguin.co.uk/files/pcap-util. This script can be used to extract packets from a specified time period (using the timestamp in the packet header) out of a huge dump file and copy them into a new file that should be much smaller and much easier and faster to analyze.

Alternatively you can use it to split the huge file into several smaller files of x MB each.

Option 2

It is also possible to use the libpcap filter language to extract packets from the source file as shown below:

pcap-util filter nstrace2.pcap before-trace.pcap "host 10.10.10.10 and port 22"

This utility makes use of Net::Pcap module, which you can get from CPAN, or if you are on a Debian distribution such as Ubuntu, you can just "apt-get install libnet-pcap-perl".

A Fedora based system with yum can use “yum install perl-Net-Pcap.i386”.

ap-util.JPG

In this example, the file nstrace2.pcap is split into files with the prefix before_trace and the size of 500MB.

ap-util2.JPG

The command to do this is:

# /home/etargonski/pcap-util.pl split nstrace2.pcap before_trace 500

This results in the following :




-rw-r--r-- 1 root root 497M 2008-11-07 12:52 before_trace.0.tcpdump


-rw-r--r-- 1 root root 497M 2008-11-07 12:53 before_trace.1.tcpdump

-rw-r--r-- 1 root root 497M 2008-11-07 12:54 before_trace.2.tcpdump

-rw-r--r-- 1 root root 497M 2008-11-07 12:54 before_trace.3.tcpdump

-rw-r--r-- 1 root root 277M 2008-11-07 12:54 before_trace.4.tcpdump





Now you will be able to open these files with no errors related to file size. The described script is also able to filter packets out from a specific time period and can filter packets using the libpcap filter language as stated:

Extract packets from time period

--------------------------------

/home/etargonski/pcap-util.pl time <infile> <outfile> <Start time> <End time>




Extract packets using libpcap filter language

---------------------------------------------

/home/etargonski/pcap-util.pl filter <infile> <outfile> "libpcap filter string"

More Information

Download for script http://www.badpenguin.co.uk/files/pcap-util




Source: citrix.com

or simply

You can use tcpdump itself with the -C, -r and -w options

tcpdump -r old_file -w new_files -C 10

0 COMMENT :

Post a Comment

Related Posts with Thumbnails