SplitCap is writtern C# using .NET framework 2.0.
Usage: SplitCap [OPTIONS]…
-r <input_file> : Set the pcap file to read from
-o <output_directory> : Manually specify output directory
-d : Delete previous output data
-p <nr_parallel_sessions> : Set the number of parallel sessions
to keep in memory (default = 10000). More sessions might be needed to
split pcap files from busy links such as an Internet backbone link, this
will however require more memory
-b <file_buffer_bytes> : Set the number of bytes to buffer for
each session/output file (default = 10000). Larger buffers will speed up
the process due to fewer disk write operations, but will occupy more
-s <GROUP> : Split traffic and group packets to pcap files based on <GROUP>. Possible values for <GROUP> are:
flow : Each flow, i.e. unidirectional traffic for a 5-tuple, is grouped
host : Traffic grouped to one file per host. Most packets will end up in two files.
hostpair : Traffic grouped based on host-pairs communicating
nosplit : Do not split traffic. Only create ONE output pcap.
(default) session : Packets for each session (bi-directional flow) are grouped
-ip <IP address to filter on>
-port <port number to filter on>
-y <FILETYPE> : Output file type for extracted data. Possible values for <FILETYPE> are:
L7 : Only store application layer data
(default) pcap : Store complete pcap frames
Example 1: SplitCap -r dumpfile.pcap
Example 2: SplitCap -r dumpfile.pcap -o session_directory
Example 3: SplitCap -r dumpfile.pcap -s hostpair
Example 4: SplitCap -r dumpfile.pcap -s flow -y L7
Example 5: SplitCap -r dumpfile.pcap -ip 126.96.36.199 -port 80 -port 443 -s nosplit
SplitCap is created as part of the Statistical Protocol IDentification research project carried out by Erik Hjelmvik with fundings from .SE (The Swedish Internet Infrastructure Foundation).
SplitCap can since version 1.5 also be used in order to efficiently
filter a large PCAP file based on one or several IP addresses or TCP/UDP
port numbers. Simply use the “-s nosplit” option together with one
or several “-port” or “-ip” switches to specify what traffic to keep
from the large pcap file. SplitCap performs this type of filtering
much faster and with way less memory usage compared to tshark.
More details about SplitCAP here.