The following post cover the required steps that need to be done to split a large PCAP file to multiple PCAP files on Windows 10.
You can use WireShark or SplitCap to accomplish the required task.
1. Windows 10 x64 Bit
2. Wireshark 2.2.0 x64 or higher
3. WinPcap 4.1.3 or higher (optional)
4. SplitCap as alternative tool to Wireshark
Splitting Process by using Wireshark
1. Create a new empty folder.
2. Copy to the new folder the PCAP sample file.
* The sample PCAP that was used in my lab was download from the following link.
3. Open the command line and navigate to the folder that contained the PCAP sample file.
4. Use the following command to split the PCAP to multiple files (e.g. exportpcap*.pcap) , each file would contain 100 packets (or other value).
“C:\Program Files\Wireshark\editcap.exe” -c 100 c1.pcap exportpcap.pcap
5. Review the folder content by using Microsoft Explorer or ‘dir’ command.
6. Use the following command to review the new PCAP name and the number of packets.
“C:\Program Files\Wireshark\capinfos.exe” -c exportpcap*.pcap |more
Splitting Process by using SplitCap:
1. Use the following command to split the PCAP to multiple files (e.g. c1.pcap.Packets_*.pcap) , each file would contain 100 packets.
SplitCap.exe -r c:\pcap\c1.pcap -s packets 100
2. Review the folder content by using Microsoft Explorer or ‘dir’ command.
Note: Under NIX system you can use ‘tcpdump’ command:
tcpdump -r old_file -w new_files -C 100 (100 million bytes)