[Dshield] Splitting a large PCAP

Bamm Visscher bamm.visscher at gmail.com
Fri Oct 28 23:00:35 GMT 2005

I'd recommend either tcpclice or tethereal.

WIth tethereal you could do something like:

tethereal -r inFile -w outFile -a filesize:1000000 -b 0

That would take inFile and split that file into 1GB files with the
names outFile_n_timestamp IIRC.


On 10/28/05, Pete Cap <peteoutside at yahoo.com> wrote:
> All,
> I have been collecting full packets with a snort
> sensor at a remote site.  After the first day we
> realized that we had not set up snort to start a new
> file every so often--this was quickly fixed, but now
> we have a 27 GIG file to process.
> Any ideas on how I can split this?  Splitcap won't
> compile; and I don't think I can just run it through
> snort again, seeing as it's already captured!
> Thanks in advance,
> Pete
> __________________________________
> Yahoo! Mail - PC Magazine Editors' Choice 2005
> http://mail.yahoo.com
> _________________________________________
> Using .Net? Need to know more about .Net Security?
> http://isc.sans.org/banner_count.php?dest=dotnet
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

sguil - The Analyst Console for NSM

More information about the list mailing list