tshark to split pcap file based on MAC address

Question

I have around 7 PCAP files and I would like to split them based on MAC address then place them into separate files and a new directory for each PCAP file based on the title of the PCAP files. My current approach (see below) is obviously not the best approach and would need the loop part.

 #!/bin/bash

 #Name of PCAP file to analyse
 pcap_file="tcpdump_2019-06-21_213044.pcap"

 #MAC address to filter 
 mac="00:17:88:48:89:21"

 mkdir /2019-06-21/

 for steam in $pcap_file;
 do
 /usr/bin/tshark -r $pcap_file  -Y "eth.addr eq 00:17:88:48:89:21" -w 
 $mac.pcap    
 done


 #!/bin/bash

  pcap_file=(tcpdump_2019-07-01_000001.pcap tcpdump_2019-06-26_120301.pcap)

  macs=(  00:17:88:71:78:72 )

  devices=(phillips_1 phillips_2)

  for pcf in ${pcap_file[*]}
  do
    echo "$pcap_file" >&2
         /usr/bin/tshark -r "$pcf" -Y "eth.addr eq $macs" -w "$devices.pcap"        
  done

Answer 1

Something like:

#!/bin/bash

# usage "$0" pcap_file1 pcap_file2 ...

#macs=(  00:17:88:48:89:21  00:17:88:48:89:22  00:17:88:48:89:23 )
ips=( 192.168.202.68 192.168.202.79 192.168.229.153 192.168.23.253 )

for pcf in "$@"
do
    dir="`basename "$pcf" | sed -r 's/(tcpdump_)(.*)(_[0-6]{6}.pcap)/\2/'`"
    mkdir "$dir"
    cd "$dir" || exit  # into the newly created child dir
    pcf="`realpath -e "$pcf"`"  # make sure the file can be found from the new directory

    #for mac in ${macs[*]}
    for ip in ${ips[*]}
    do
        #echo "$mac" >&2
        echo "$ip" >&2
        #/usr/bin/tshark -r "$pcf" -Y "eth.addr eq $mac" -w "$mac.pcap"
        /usr/bin/tshark -r "$pcf" -Y "ip.addr == $ip" -w "$ip.pcap"
    done

    cd ..  # back to the parent dir
done

Where in your case you would use the commented out lines. I used IPs to test, for I couldn't find an appropriate file to test mac's on. I used the file maccdc2012_00000.pcap.gz found here: https://www.netresec.com/?page=MACCDC to test (note: my example takes a long time to finish on that large file).