Filter a pcap dump file for a specific time range

pcap tcpdump tshark editcap
Filippo Vitale picture Filippo Vitale · Nov 13, 2013 · Viewed 17.7k times · Source

Is there any easy way to create a pcap file for the packets related to a specific datetime range maybe using tshark, tcpdump or another commandline tool?

tshark -R with frame.time seems promising but I haven't been able to work that out yet...

EDIT

The final command:

editcap -F libpcap -A "2013-07-20 23:00:00" -B "2013-07-20 23:20:00" input.pcap output.pcap

Answer

James picture James · Nov 13, 2013

What you need is editcap. It's a command-line tool that is part of the Wireshark family.

Check out the man page at http://www.wireshark.org/docs/man-pages/editcap.html.

It takes a pcap file as input, and writes an output one. You may operate on the infile to filter content, for example, with start-time and end-time, packet number ranges, snap packet length, adjusting timestamps (!), etc. It's a great tool.

Related questions

How to filter MAC addresses using tcpdump?

I am running tcpdump on DD-WRT routers in order to capture uplink data from mobile phones. I would like to listen only to some mac addresses. To do this I tried to run the command using a syntax similar to …

Read More
How to concatenate two tcpdump files (pcap files)

How to concatenate two tcpdump files, so that one traffic will appear after another in the file? To be concrete I want to "multiply" one tcpdump file, so that all the sessions will be repeated one after another sequentially few …

Read More
Easiest way to convert pcap to JSON

I have a bunch of pcap files, created with tcpdump. I would like to store these in a database, for easier querying, indexing etc. I thought mongodb might be a good choice, because storing a packet the way Wireshark/TShark …

Read More