How do I get a specific range of packets from a large pcap file with tcpdump?

tcpdump
growse picture growse · Oct 28, 2013 · Viewed 14.6k times · Source

I've got a huge pcap file (100GB) and I'm interested in a small number of packets which I know are numbers 5,000,000 to 5,000,020.

How can I use tcpdump to read a pcap file, filter out packets by packet number (or range), and then write them out to a new pcap file?

Answer

pdp picture pdp · Nov 29, 2016

It is quite simple using editcap that comes along with Wireshark (at least on CentOS and Debian). For the 5,000,000 to 5,000,020 packet numbers, you can do:

editcap -r <big_pcap_file> <new_pcap_file> 5000000-5000020

Related questions

Can I use tcpdump to get HTTP requests, response header and response body?

I am using tcpdump to get HTTP data by executing the below command: sudo tcpdump -A -s 1492 dst port 80 The result of above command: Headers, I think request and response headers. Unreadable data. The url GET /modules/mod_news_pro_…

Read More
Monitor network activity in Android Phones

I would like to monitor network traffic of my Android Phone. I was thinking using tcpdump for Android, but I'm not sure if I have to cross-compile for the phone. Another question is the following, If I want to monitor …

Read More
How can I have tcpdump write to file and standard output the appropriate data?

I want to have tcpdump write raw packet data into a file and display packet analysis in standard output as the packets are captured (by analysis I mean the lines it displays normally when -w is missing). Can anybody please …

Read More