How to slice a PCAP file efficiently?

Question

I am trying to slice a large PCAP file (3 GB) using tshark in Ubuntu. The code below is what I am trying to do:

tshark -r dia5_20Jan17.pcap -Y '((frame.time >= "2017-01-20 10:32:00") && (frame.time <= "2017-01-20 18:44:00"))'  -w 1.pcap

The problem is the waste of memory RAM:

The code is using 95/95% of memory (8GB). Is there a better way of slicing the PCAP file? I tried Python too...

Answer 1

I haven't tried it just now, but my guess is that the memory footprint is mostly caused by the TCP dissector tracking connections etc. If you create a profile where you disable all dissectors you do not need (and since you're filtering on frame meta info only that's probably all of them) you might save a lot of RAM.

The way I would do this is

1. start Wireshark
2. create new profile
3. use "Analyze" -> "Enabled Protocols" -> "Disable All"
4. close Wireshark
5. run tshark, specifying the new profile with the "-C" parameter

As I've said, I haven't tested this for your case, but I use reduced dissection settings a lot when carving packets from pcaps. It's faster, gives less errors, and can save RAM.

Answer 2

You can use editcap to split up capture files. For example:

editcap -A "2017-01-20 10:32:00" -B "2017-01-20 18:44:00" infile.pcap outfile.pcap

Answer 3

tshark isn't the best tool for the job. I've had good experience with libtrace (github link), which gives a nice toolbox for handling capture files. Specifically, in your case, the tracesplit tool.

Note that most of their examples are with a capture format called erf, not pcap. But they support pcap files, you just have to specify it.

The equivalent tracesplit command would be something like:

tracesplit --starttime=1484908320 --endtime=1484937840 -compress-type=none pcapfile:dia5_20Jan17.pcap pcapfile:1.pcap