pcapslice

[amm3]

This is a utility to split pcap files by ip src/dst pair or tcp/udp stream using Dshell's PCAPWriter() to write the output files. This is sometimes useful when trying to process pcap in dshell that contains numerous and interleaved really large streams.

[dev195]

Some things to do before this gets accepted:

• Add an --outdir argument, similar to rip-http. This script is going to generate a lot of files, and we might not want them all dumped in our current directory.
• Update the normalIP function to handle IPv6. You can probably use the same logic from pcapanon.py
• Fix so it doesn't choke on packets that don't have ports (e.g. ICMP).

Traceback (most recent call last):
  File "../bin/pcapslice.py", line 229, in <module>
    main()
  File "../bin/pcapslice.py", line 88, in main
    thisflow = flow(addr)
  File "../bin/pcapslice.py", line 123, in __init__
    self.outfilename = localfilename(addr)
  File "../bin/pcapslice.py", line 204, in localfilename
    sport = '%05d' % int(sport)
TypeError: int() argument must be a string or a number, not 'NoneType'

Also, I see the --debug flag, but I don't see any debug messages. Does that need to be there for something?

[amm3]

I think this covers the requested updates.

[dev195]

Okay, it looks like it's working, so I'll merge it.

At some point, I would recommend changing some of the logging. It seems awkward to have informational messages about new and closing files be marked as WARNings.

[amm3]

Thanks. I can definitely update the output. This was cobbled together without much thought to usability, so it probably merits a rethink of the standard and diagnostic messaging.