Packet Capture – Size manipulation

Splitting a very large packet capture

If a packet capture is over a certain file size, i.e. 300Mb+, it may be beneficial for processing / distribution purposes to split it into smaller chunks. You can do this using the “editcap” Wireshark command.

(For Windows) – Firstly, copy the packet capture to your “C:\Program files\Wireshark” folder. Then use the “capinfos -c” command on the packet capture to find out how many packets it contains, as below:

C:\Program Files\Wireshark>capinfos -c samplepacketcapture.cap
File name: samplepacketcapture.cap
Number of packets: 1070031

As we have 1,070,031 packets, it may be beneficial to split them into pcaps of 50,000 each:

C:\Program Files\Wireshark>editcap -c 50000 samplepacketcapture.cap

When the command has completed succesfully, there will be an amount of small .cap files in the same directory of 50,000 packets each.

Merging lots of packet captures into a single Pcap

Sometimes we may wish to merge multiple packet captures i.e. 4-5 100Mb Packet Captures into a single one for analysis and to remove errors such as “Ack received for unknown packet” etc. To do this, (For Windows) – Firstly, copy the packet capture to your “C:\Program files\Wireshark” folder. Then, we can use the “mergecap.exe” program, similar to how editcap works.

C:\Program Files\Wireshark\mergecap.exe -w master-cap.cap subcap1.cap 
subcap2.cap subcap3.cap

In this command, we are merging subcap1 – subcap3 into a few file, called master-cap.cap.

Thats all there is to it. For references, some useful operators are:

Usage: mergecap [options] -w <outfile>|- <infile> ...
Output:
 -a                concatenate rather than merge files.
                   default is to merge based on frame timestamps.
 -s <snaplen>      truncate packets to <snaplen> bytes of data.
 -w <outfile>|-    set the output filename to <outfile> or '-' for stdout.
 -F <capture type> set the output file type; default is libpcap.
                   an empty "-F" option will list the file types.
 -T <encap type>   set the output file encapsulation type;
                   default is the same as the first input file.
                   an empty "-T" option will list the encapsulation types.
 -h                display this help and exit.
 -v                verbose output.