GitHub - constcast/pcapsplit

Branches Tags

Name		Name	Last commit message	Last commit date
Latest commit History 198 Commits
configs		configs
modules		modules
tools		tools
AUTHORS		AUTHORS
COPYING		COPYING
ChangeLog		ChangeLog
Makefile.am		Makefile.am
NEWS		NEWS
README		README
configure.ac		configure.ac
main.c		main.c

Repository files navigation

This is a development snapshot of pcapsplit. At this moment pcapsplit is only
capable of splitting pcap files into several smaller pieces. 

Use 

$ autoreconf -i
$ ./configure
$ make

in order to compile pcapsplit. You need the development version of libpcap
installed on you system.

The configuration is done via ini files. These files configure all the modules
that pcapsplit uses to split the source file. Each of these modules does have
its on section in within the files. The following modules are currently
implemented:

- sizedumper -- Splits a single pcap files into several smaller files. The
  configuration for this module is given like this:

	[size_dumper]
	file_prefix=/path/to/file/prefix
	size=size in bytes
  
  The resulting files will be no bigger than size "size". Some files might be
  smaller because the split is only performed on a packet boundary. Packets
  will not be splitted in the middle of the packet. 
  If a big pcap file is splitted into n smaller files, the resulting output
  files will be named $file_prefix.[0-n].

- filterdumper -- Splits a single pcap files into several files according to
  pcap filter rules. The configuration is performed as follows:

	[filter_dumper]
	file_prefix=/path/to/file/prefix
	numer_of_classes=2

	class1=ip
	filter1="ip"

	class2=ip6
	filter2="ip6"

  The configuration specifies an file prefix in the variable "file_prefix" and
  the number of output classes in "number_of_classes". The variables "class"
  and "filter" need to be existent for every class. For examle, if
  "number_of_classes" is two, there must be the configuration variables
  "class1", "filter1", "class2", "filter2". 
  The string given in "classN" defines the filename of the output pcap file.
  For example, the configuration

	file_prefix='/foo/bar/pcap-'
	class1 = 'ip'

  will result in a pcap filen named '/foo/bar/pcap-ip'. Note that the
  directory for the pcap file MUST exist because pcapsplit does not create any
  directories. The variable "filterN" defines the pcap filter for the class N. 
  The filter format must be in tcpdump(1) format.

- flowstart_dumper: Similar to filter_dumper but allows the configuration of a
  cutoff per connection. The module performs connection tracking (acctually
  bi-flow tracking). A cutoff can be defined by class and is specified in
  bytes. A cutoff of N bytes means only N bytes per bi-flow are stored to the
  classes pcap file. A definition of a class could be

	class1=ip
	filter1="ip and tcp and port 80"
	cutoff1=15000

  which would match all TCP traffic with source or destination port 80 over
  IPv4. The parameter "cutoff1" would result in 15000 bytes per connection to
  captured.
  It is also possible to specify the maximum pcap file size for a class by
  configuring the variable

	file_size1 = 100000000

  This results in maximum pcap files that have the size 100000000 the output
  Afterwards, a new file is produced for the class. The filenames are produced
  in a form like '$file_prefix$class_name-$i' where $i is a running number
  that starts with 0 at programm-start and is increased everytime a new
  class-file is started.
  The flow-dumper module aims at dumping the first N bytes of each connections
  and tries to reassemble the corresponding functionallity of the time-machine
  (TODO: links to time machine) and was inspired by the program.

Please email bug reports, feature requests, etc to

	Lothar Braun <lothar@lobraun.de>