Splitting wireshark large size with pcap splitter with bash

Question

I have large pcapng files, and I want to split them based on my desired wireshark filters. I want to split my files by the help of bash scripts and using pcapsplitter, but when I use a loop, it always gives me the same file.

I have written a small code.

#!/bin/bash

for i in {57201..57206}
do
mkdir destination/$i
done

tcp="tcp port "

for i in {57201..57206}
do
tcp="$tcp$i"
pcapsplitter -f file.pcapng -o destination/$i -m bpf-filter -p $tcp
done

the question is, can I use bash for my goal or not? If yes, why it does not work?

Answer 1

Definitely, this is something Bash can do.

Regarding your script, the first thing I can think of is this line :

pcapsplitter -f file.pcapng -o destination/$i -m bpf-filter -p $tcp

where the value of $tcp is actually tcp port 57201 (and following numbers on the next rounds. However, without quotes, you're actually passing tcp only to the -p parameter.

It should work better after you've changed this line into :

pcapsplitter -f file.pcapng -o destination/$i -m bpf-filter -p "$tcp"

NB: as a general advice, it's usually safer to double-quote variables in Bash.

NB2 : you don't need those 2 for loops. Here is how I'd rewrite your script :

#!/bin/bash

for portNumber in {57201..57206}; do
    destinationDirectory="destination/$portNumber"
    mkdir "$destinationDirectory"

    thePparameter="tcp port $portNumber"
    pcapsplitter -f 'file.pcapng' -o "$destinationDirectory" -m bpf-filter -p "$thePparameter"
done