I was having trouble with tethereal and a pcap file bigger than 2 gigs,
so I wrote a quick and dirty python script to split pcap files into 1
gig chunks. It's a total hack but maybe it'll be useful to someone in
the archives. More here:
http://www.nelson.monkey.org/~nelson/weblog/tech/splitpcap.html
#!/usr/bin/python
"""Quick hack program to split up a pcap file into smaller pieces.
tethereal and friends can't open files bigger than 2GB: this utility lets
you split a large pcap file into smaller files.
The actual implementation is a total hack based on reading pcap.h and
implementing the bare minimum in python. I wrote this for 32 bit x86
Linux system; types may vary on other OS."""
import struct, sys
# pcap file format definition. Types pulled from pcap.h
pcap_file_header = "IHHiIII"
pcap_pkthdr = "llII"
pcap_file_header_length = struct.calcsize(pcap_file_header)
pcap_pkthdr_length = struct.calcsize(pcap_pkthdr)
outFiles = 0
outBytes = 0
def newOutFile(file_header):
"Create a new pcap output file with a serial number in the filename"
global outFiles, outBytes
# Make up a filename
fn = "splitpcap.%04d" % outFiles
outFiles += 1
print "Writing file %s" % fn
# Write the file header from the file we read
fp = open(fn, "wb")
fp.write(file_header)
outBytes = len(file_header)
return fp
def main():
global outBytes
maxSize = 1024*1024*1024
fp = sys.stdin
# Read the pcap file header. We don't really need to parse this.
file_header = fp.read(pcap_file_header_length)
outFP = newOutFile(file_header)
while True: # no exit condition, the last read just throws an exception
# Read the packet header
pkthdr = fp.read(pcap_pkthdr_length)
sec, usec, caplen, length = struct.unpack(pcap_pkthdr, pkthdr)
# Read the packet itself
pkt = fp.read(caplen)
# Rotate the file if necessary
moreBytes = pcap_pkthdr_length + caplen
if moreBytes + outBytes > maxSize:
outFP = newOutFile(file_header)
# Write the packet
outFP.write(pkthdr)
outFP.write(pkt)
outBytes += moreBytes
if __name__ == "__main__":
main()
