How to split a large PCAP file to multiple PCAP files on Windows 10

September 22, 2016

Introduction

The following post cover the required steps that need to be done to split a large PCAP file to multiple PCAP files on Windows 10.

You can use WireShark or SplitCap to accomplish the required task.

Prerequisites

1. Windows 10 x64 Bit

2. Wireshark 2.2.0 x64 or higher

3. WinPcap 4.1.3 or higher (optional)

4. SplitCap as alternative tool to Wireshark

Splitting Process by using Wireshark

1. Create a new empty folder.

2. Copy to the new folder the PCAP sample file.

image

* The sample PCAP that was used in my lab was download from the following link.

3. Open the command line and navigate to the folder that contained the PCAP sample file.

image

4. Use the following command to split the PCAP to multiple files (e.g. exportpcap*.pcap) , each file would contain 100 packets (or other value).

“C:\Program Files\Wireshark\editcap.exe” -c 100 c1.pcap exportpcap.pcap

image

5. Review the folder content by using Microsoft Explorer or ‘dir’ command.

image 

6. Use the following command to review the new PCAP name and the number of packets.

“C:\Program Files\Wireshark\capinfos.exe” -c exportpcap*.pcap |more

image

 

Splitting Process by using SplitCap:

1. Use the following command to split the PCAP to multiple files (e.g. c1.pcap.Packets_*.pcap) , each file would contain 100 packets.

SplitCap.exe  -r c:\pcap\c1.pcap -s packets 100

image

2. Review the folder content by using Microsoft Explorer or ‘dir’ command.

image

 

Note: Under NIX system you can use ‘tcpdump’ command:

tcpdump -r old_file -w new_files -C 100 (100 million bytes)

Add comment
facebook linkedin twitter email

Leave a Reply