사이즈가 큰 pcap 파일 분할 방법

Wireshark에 포함된 editcap 을 이용하는 방법

C:\Program Files\Wireshark>editcap.exe
Editcap 1.6.0 (SVN Rev 37592 from /trunk-1.6)
Edit and/or translate the format of capture files.
See http://www.wireshark.org for more information.

Usage: editcap [options] ... <infile> <outfile> [ <packet#>[-<packet#>] ... ]

<infile> and <outfile> must both be present.
A single packet or a range of packets can be selected.

Packet selection:
  -r                     keep the selected packets; default is to delete them.
  -A <start time>        only output packets whose timestamp is after (or equal
                         to) the given time (format as YYYY-MM-DD hh:mm:ss).
  -B <stop time>         only output packets whose timestamp is before the
                         given time (format as YYYY-MM-DD hh:mm:ss).

Duplicate packet removal:
  -d                     remove packet if duplicate (window == 5).
  -D <dup window>        remove packet if duplicate; configurable <dup window>
                         Valid <dup window> values are 0 to 1000000.
                         NOTE: A <dup window> of 0 with -v (verbose option) is
                         useful to print MD5 hashes.
  -w <dup time window>   remove packet if duplicate packet is found EQUAL TO OR
                         LESS THAN <dup time window> prior to current packet.
                         A <dup time window> is specified in relative seconds
                         (e.g. 0.000001).

           NOTE: The use of the 'Duplicate packet removal' options with
           other editcap options except -v may not always work as expected.
           Specifically the -r, -t or -S options will very likely NOT have the
           desired effect if combined with the -d, -D or -w.

Packet manipulation:
  -s <snaplen>           truncate each packet to max. <snaplen> bytes of data.
  -C <choplen>           chop each packet by <choplen> bytes. Positive values
                         chop at the packet beginning, negative values at the
                         packet end.
  -t <time adjustment>   adjust the timestamp of each packet;
                         <time adjustment> is in relative seconds (e.g. -0.5).
  -S <strict adjustment> adjust timestamp of packets if necessary to insure
                         strict chronological increasing order. The <strict
                         adjustment> is specified in relative seconds with
                         values of 0 or 0.000001 being the most reasonable.
                         A negative adjustment value will modify timestamps so
                         that each packet's delta time is the absolute value
                         of the adjustment specified. A value of -0 will set
                         all packets to the timestamp of the first packet.
  -E <error probability> set the probability (between 0.0 and 1.0 incl.)
                         that a particular packet byte will be randomly changed.

Output File(s):
  -c <packets per file>  split the packet output to different files
                         based on uniform packet counts
                         with a maximum of <packets per file> each.
  -i <seconds per file>  split the packet output to different files
                         based on uniform time intervals
                         with a maximum of <seconds per file> each.
  -F <capture type>      set the output file type; default is libpcap.
                         an empty "-F" option will list the file types.
  -T <encap type>        set the output file encapsulation type;
                         default is the same as the input file.
                         an empty "-T" option will list the encapsulation types.

Miscellaneous:
  -h                     display this help and exit.
  -v                     verbose output.
                         If -v is used with any of the 'Duplicate Packet
                         Removal' options (-d, -D or -w) then Packet lengths
                         and MD5 hashes are printed to standard-out.

예제1) input.cap 파일에서 처음부터 100 개까지의 패킷을 output.cap 에 저장

# editcap -r input.cap output.cap 1-100

예제2) input.pcap 에서 output.pcap 파일에 10000 개의 패킷을 저장

# editcap -c 10000 input.pcap output.pcap
# ls
input.pcap                    output.pcap-00011  output.pcap-00024  output.pcap-00037
t.pcap            output.pcap-00012  output.pcap-00025  output.pcap-00038
output.pcap-00000          output.pcap-00013  output.pcap-00026  output.pcap-00039
output.pcap-00001          output.pcap-00014  output.pcap-00027  output.pcap-00040
output.pcap-00002          output.pcap-00015  output.pcap-00028  output.pcap-00041
output.pcap-00003          output.pcap-00016  output.pcap-00029  output.pcap-00042
output.pcap-00004          output.pcap-00017  output.pcap-00030  output.pcap-00043
output.pcap-00005          output.pcap-00018  output.pcap-00031  output.pcap-00044
output.pcap-00006          output.pcap-00019  output.pcap-00032  output.pcap-00045
output.pcap-00007          output.pcap-00020  output.pcap-00033  output.pcap-00046
output.pcap-00008          output.pcap-00021  output.pcap-00034  output.pcap-00047
output.pcap-00009          output.pcap-00022  output.pcap-00035  output.pcap-00048
output.pcap-00010          output.pcap-00023  output.pcap-00036

만약 input.pcap 이 10,000 개 이상인 경우는 10,000 개 단위로 output.pcap 뒤에 숫자가 붙어 만들어 진다.

예제3) -i 옵션을 통해 초 단위로 패킷을 나눈다.

# editcap -i 60 input.pcap output.pcap

예제4) 특정 시간범위를 지정하여 패킷 추출

# editcap -v -A "2010-01-15 14:00:00" -B "2010-01-15 15:00:00"  input.cap output.cap

-v 는 verbose 로 좀더 자세한 정보를 출력해 준다. -A 와 -B 로 시작과 끝을 지정한다.

예제5) 여러개의 범위를 지정하여 패킷 추출 하기

# editcap input.cap output.cap 1-100 500-600

1-100 번 까지 그리고 500-600 번 까지의 패킷을 output.cap 에 저장한다.

예제6) -r 옵션의 차이를 정확히 이해하자

# editcap input.cap output.cap 1 10 200-300 500-700

1, 10, 200-300, 500-700 을 제외하고 output.cap 에 저장한다.

# editcap -r input.cap output.cap 1 10 200-300 500-700

1, 10, 200-300, 500-700 만 선택하여 output.cap 에 저장한다.

출처 : http://www.packetinside.com/2010/01/%EB%B6%84%EC%84%9D%ED%95%A0-%ED%8C%A8%ED%82%B7-%EB%8D%B0%EC%9D%B4%ED%84%B0-%ED%81%AC%EA%B8%B0%EA%B0%80-%ED%81%B0-%EA%B2%BD%EC%9A%B0%EB%8A%94-%EC%9D%B4%EB%A0%87%EA%B2%8C-%ED%95%98%EC%9E%90.html

SplitCap 툴을 이용하는 방법
SplitCap : http://splitcap.sourceforge.net/

D:\Security Tools\Network Tools\pcap Analysis\SplitCap_1-6>SplitCap.exe
Usage: SplitCap [OPTIONS]...

OPTIONS:
-r <input_file> : Set the pcap file to read from
-o <output_directory> : Manually specify output directory
-d : Delete previous output data
-p <nr_parallel_sessions> : Set the number of parallel sessions to keep in
   memory (default = 10000). More sessions might be needed to split pcap
   files from busy links such as an Internet backbone link, this will however
   require more memory
-b <file_buffer_bytes> : Set the number of bytes to buffer for each
   session/output file (default = 10000). Larger buffers will speed up the
   process due to fewer disk write operations, but will occupy more memory.
-s <GROUP> : Split traffic and group packets to pcap files based on <GROUP>
   Possible values for <GROUP> are:
             flow     : Each flow, i.e. unidirectional traffic for a 5-tuple,
                        is grouped
             host     : Traffic grouped to one file per host. Most packets will
                        end up in two files.
             hostpair : Traffic grouped based on host-pairs communicating
             nosplit  : Do not split traffic. Only create ONE output pcap.
   (default) session  : Packets for each session (bi-directional flow) are
                       grouped
-ip <IP address to filter on>
-port <port number to filter on>
-y <FILETYPE> : Output file type for extracted data. Possible values
   for <FILETYPE> are:
             L7   : Only store application layer data
   (default) pcap : Store complete pcap frames

Example 1: SplitCap -r dumpfile.pcap
Example 2: SplitCap -r dumpfile.pcap -o session_directory
Example 3: SplitCap -r dumpfile.pcap -s hostpair
Example 4: SplitCap -r dumpfile.pcap -s flow -y L7
Example 5: SplitCap -r dumpfile.pcap -ip 1.2.3.4 -port 80 -port 443 -s nosplit