Tuesday, April 12, 2011

Splitcap - the PCAP file splitter

SplitCap is an opensource pcap file splitter. It splits one big PCAP file into multiple files based on TCP and UDP sessions, one PCAP file per host-pair instead of a session. TCP and UDP sessions concept in SplitCap is defined as bi-directional flows, ie., all frames / packets with the same 5-touple (source host, destination host, source port, destination port, transport protocol) regardless of packet direction are considered part of the same session.

SplitCap is writtern C# using .NET framework 2.0.

Usage: SplitCap [OPTIONS]…


OPTIONS:

-r <input_file> : Set the pcap file to read from

-o <output_directory> : Manually specify output directory

-d : Delete previous output data

-p <nr_parallel_sessions> : Set the number of parallel sessions
to keep in memory (default = 10000). More sessions might be needed to
split pcap files from busy links such as an Internet backbone link, this
will however require more memory

-b <file_buffer_bytes> : Set the number of bytes to buffer for
each session/output file (default = 10000). Larger buffers will speed up
the process due to fewer disk write operations, but will occupy more
memory.

-s <GROUP> : Split traffic and group packets to pcap files based on <GROUP>. Possible values for <GROUP> are:

flow : Each flow, i.e. unidirectional traffic for a 5-tuple, is grouped

host : Traffic grouped to one file per host. Most packets will end up in two files.

hostpair : Traffic grouped based on host-pairs communicating

nosplit : Do not split traffic. Only create ONE output pcap.

(default) session : Packets for each session (bi-directional flow) are grouped

-ip <IP address to filter on>

-port <port number to filter on>

-y <FILETYPE> : Output file type for extracted data. Possible values for <FILETYPE> are:

L7 : Only store application layer data

(default) pcap : Store complete pcap frames


Example 1: SplitCap -r dumpfile.pcap

Example 2: SplitCap -r dumpfile.pcap -o session_directory

Example 3: SplitCap -r dumpfile.pcap -s hostpair

Example 4: SplitCap -r dumpfile.pcap -s flow -y L7

Example 5: SplitCap -r dumpfile.pcap -ip 1.2.3.4 -port 80 -port 443 -s nosplit

SplitCap is created as part of the Statistical Protocol IDentification research project carried out by Erik Hjelmvik with fundings from .SE (The Swedish Internet Infrastructure Foundation).


SplitCap can since version 1.5 also be used in order to efficiently
filter a large PCAP file based on one or several IP addresses or TCP/UDP
port numbers. Simply use the “-s nosplit” option together with one
or several “-port” or “-ip” switches to specify what traffic to keep
from the large pcap file. SplitCap performs this type of filtering
much faster and with way less memory usage compared to tshark.

More details about SplitCAP here.


Posted by at