how to filter, split and merge pcap files under linux

Posted by trammel at 2020-03-23

If you are a network administrator testing intrusion detection systems or some network access control policies, you often need to grab packets and analyze these files offline. When we need to save the captured packets, we usually store them in the packet format of Libpcap, which is widely used by many open-source sniffer tools and packet capturing programs. If pcap files are used for intrusion testing or offline analysis, they usually need to be operated before they are injected into the network.

In this article, I will introduce some tools for manipulating pcap files and how to use them.

Editcap and mergecap

Wireshark, the most popular GUI sniffer, actually comes with a very useful set of command-line tools. This includes editcap and mergecap. Editcap is a versatile pcap editor, which can filter and split pcap files in many ways. Mergecap can merge multiple pcap files into one. This article is based on these Wireshark command line tools.

If you have Wireshark installed, these tools are already in your system. If not, we'll install the Wireshark command line tool next. It should be noted that in Debian based distribution, we can install command-line tools instead of Wireshark GUI, but in red hat and its based distribution, we need to install the entire Wireshark package.

Debian, Ubuntu or Linux MINT

Fedora, CentOS or RHEL

When the tools are installed, you can start using editca and mergecap.

Pcap file filtering

With editcap, we can filter the content of pcap file with many different rules, and save the filtering results to a new file.

First, the pcap file is filtered by "start and end time". The "- a < start time > and" - B < end time > options can filter out packets arriving in this time period (for example, from 2:30 to 2:35). The format of time is "yyyy-mm-dd HH: mm: SS".

You can also extract the specified n packages from a file. The following command line Extracts 100 packages (from 401 to 500) from the input.pcap file and saves them to output.pcap:

Use the "- d < DUP Window >" (DUP window can be regarded as the window size of comparison, only compared with the package within this range) option to extract duplicate packages. Each packet in turn compares the length and MD5 value with its previous < DUP Window > - 1 packet, and discards if there is a match.

After traversing 37568 packets, only one repeated packet in 10 windows is discarded.

You can also define < DUP Window > as a time interval. Use the "- W < DUP Time Window > option to compare packets arriving in < DUP Time Window > time.

50000 packages were retrieved with 0.5s as duplicate window, no duplicate packages were found.

Split pcap file

When a large pcap file needs to be divided into several small files, editcap can also play a great role.

Divide a pcap file into multiple files with the same number of packets

Each output file has the same number of packets, named in the form of < output prefix > - nnnn.

Splitting pcap files in time intervals

Merge pcap files

If you want to merge multiple files into one, it is convenient to use mergecap.

When merging multiple files, mergecap sorts the internal packets first and then by default.

If you want to ignore the timestamps and just merge the files in the order on the command line, use the - a option.

For example, the following command writes the contents of the input.pcap file to output.pcap and appends the contents of input2.pcap.


In this tutorial, I demonstrated several examples of editcap and mergecap operating pcap files. In addition, there are other related tools, such as reorderercap for reordering packets, text2pcap for converting pcap files to text format, pcap diff for comparing the similarities and differences of pcap files, and so on. These tools and package injection tools are very practical when testing network intrusion and solving network problems, so it is better to know them.

Have you ever used the pcap tool? If so, what have you done with it?


Author: Dan Nanni translator: spccman proofreader: wxy

This article was originally translated by lctt, and Linux was launched with honor in China

Subscribe to "Linux China" official applet to view