[Dshield] Splitting a large PCAP
bamm.visscher at gmail.com
Fri Oct 28 23:00:35 GMT 2005
I'd recommend either tcpclice or tethereal.
WIth tethereal you could do something like:
tethereal -r inFile -w outFile -a filesize:1000000 -b 0
That would take inFile and split that file into 1GB files with the
names outFile_n_timestamp IIRC.
On 10/28/05, Pete Cap <peteoutside at yahoo.com> wrote:
> I have been collecting full packets with a snort
> sensor at a remote site. After the first day we
> realized that we had not set up snort to start a new
> file every so often--this was quickly fixed, but now
> we have a 27 GIG file to process.
> Any ideas on how I can split this? Splitcap won't
> compile; and I don't think I can just run it through
> snort again, seeing as it's already captured!
> Thanks in advance,
> Yahoo! Mail - PC Magazine Editors' Choice 2005
> Using .Net? Need to know more about .Net Security?
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
sguil - The Analyst Console for NSM
More information about the list