Filter first ten minutes of pcap

Question

I have a large pcap file, and I would like to generate a new pcap that contains only the first ten minutes of traffic. Can I do this with tcpdump? I have seen editcap mentioned online, but I would like to use tcpdump if possible.

Answer 1

You can do this with tcpdump; however, it would be much simpler with editcap because the only practical way to do this with tcpdump that I can think of is to use Wireshark (or tshark) to first find the frame number of the packet that is at least 10 minutes into the capture file. Once you have the frame number, tcpdump can be used to only save packets up until that frame, effectively limiting the output file to the desired 10 minute duration. Here's how:

First, find the first packet that is at least 10 minutes into the capture file (here I'll illustrate with tshark, but Wireshark could be used as well):

tshark -r bigfile.pcap -Y "frame.time_relative <= 600.0"

Note the frame number of the last packet displayed. (The frame number is the first number of each row, assuming standard tshark columns.) For illustrative purposes, let's say it's frame number 21038.

Second, use tcpdump to only save the first 21038 frames to a new file:

tcpdump -r bigfile.pcap -c 21038 -w bigfile_first10min.pcap

But since editcap comes with the Wireshark suite, you could much more simply accomplish the equivalent by using the following, which will split up the large capture file into capture files each of 10 minutes in duration (except the last one, which might be less):

editcap -F pcap -i 600 bigfile.pcap bigfile_split10min.pcap

If you're only interested in the first file, then disregard the rest of them.

Of course as noted by @madmax1, you could also apply a simple modification to the above tshark command to write the packets matching the filter to a new file:

tshark -r bigfile.pcap -Y "frame.time_relative <= 600.0" -w bigfile_first10min.pcap