Analyze multiple (split) pcap files

Brought to you by: aexaey, andy0x, nording

#19 Analyze multiple (split) pcap files

Milestone: trunk

Status: closed

Owner: Aex Aey

Labels: None

Priority: 5

Updated: 2018-05-15

Created: 2017-08-09

Creator: ju2gle

Private: No

Hi, I have about 100GB of capture data (VoIP honeypot) which is split into files of 10MB each.

I want to run pcapsipdump on them. But the problem is, I cannot run it on the individual files without loosing calls, that span over multiple files as far as I understood.

Merging them is also difficult, capacity-wise.

Many thanks,
ju2gle

Discussion

Aex Aey - 2017-08-11

status: open --> closed

assigned_to: Aex Aey
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Aex Aey - 2017-08-11

Have a look at mergecap, if you haven't already:

https://www.wireshark.org/docs/man-pages/mergecap.html

mergecap can write to stdout. pcapsipdump can read from stdin. You get the idea. Maybe sort arguments first (assuming fragments are linearly named, i.e. 0001, 0002, etc...):

mergecap -w - $(ls -rt *.pcap) | pcapsipdump -fr /dev/stdin -d .
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Analyze multiple (split) pcap files

Group

Searches

Help

#19 Analyze multiple (split) pcap files

Discussion