Follow these steps on a computer with installed Wireshark to split large packet capture file into several smaller files:

1. Open the Wireshark installation directory.

   Default is:

   • Windows 32-bit:
     C:\Program Files (x86)\Wireshark\
     
     
   • Windows 64-bit:
     C:\Program Files\Wireshark\
   
   
   

2. Read the following manual pages:

   • capinfos.html - http://www.wireshark.org/docs/man-pages/capinfos.html
   • editcap.html - http://www.wireshark.org/docs/man-pages/editcap.html
   
   
   
3. Put the large traffic capture file into some folder (e.g., C:\capture\)
   
   

4. Open Windows Command Prompt:

   Start - Run... - type cmd - click OK.
   
   

5. Navigate to Wireshark installation directory:

   • Windows 32-bit:
     C:\> cd /d  "C:\Program Files (x86)\Wireshark\"
     
     
   • Windows 64-bit:
     C:\> cd /d  "C:\Program Files\Wireshark\"
   
   
   

6. Generate all information about the traffic capture file:

   C:\Program...\Wireshark> capinfos.exe  -A  C:\path_to\Name_of_Large_Traffic_Capture_File.cap

   Note: Look at these lines:

   • Number of packets
   • File size

   Example:

   File name:           C:\capture\fw_mon.cap
   File type:           Sun snoop
   File encapsulation:  Ethernet
   Packet size limit:   file hdr: (not set)
   Number of packets:   105 k
   File size:           56 MB
   Data size:           53 MB
   Capture duration:    47 seconds
   Start time:          Fri Mar 21 12:00:13 2014
   End time:            Fri Mar 21 12:01:00 2014
   Data byte rate:      1136 kBps
   Data bit rate:       9093 kbps
   Average packet size: 506.94 bytes
   Average packet rate: 2242 packets/sec
   SHA1:                4a056454ab0c844f114c45a0adb8af3023a97d2e
   RIPEMD160:           3959b6d57d364fe15185784d4445014f6371373a
   MD5:                 64ef6df5ef61792eb03284c9b3d87958
   Strict time order:   False
   

7. Split the large traffic capture file into desired number of smaller files:

   C:\Program...\Wireshark> editcap.exe  -F pcapng  -c <Packets_per_File>  C:\path_to\Name_of_Large_Traffic_Capture_File.cap  C:\path_to\Name_of_Smaller_Traffic_Capture_File.cap

   Useful options:

   • -c <Packets_per_File>
     Splits the packet output to different files based on uniform packet counts with a maximum of <Packets_per_File> each.
     Each output file will be created with a suffix -nnnnn_YYYYMMDDHHMMSS, where:
     • nnnnn starts with 00000
     • YYYYMMDDHHMMSS is the start time of captured traffic packet in the smaller file
     If the specified number of packets is written to the output file, the next output file is opened.
     The default is to use a single output file.

     Algorithm:

     1. Decide what is the desired size of the smaller files.
     2. Divide the current size of the large capture file by the desired size of smaller files.
     3. Round up/down the result (approximate number of smaller files).
     4. Divide the number of packets in the large capture file by rounded up/down number (approximate number of smaller files).
     5. Round up/down the result (approximate number of packets in smaller files).
     6. Use this value as <Packets_per_File>

     Example:

     1. Number of packets in large capture file = 105 k = 105 000
     2. Size of large capture file = 56 MB
     3. Desired size of smaller files = 5 MB
     4. Dividing 56 MB by 5 yields 11.2
     5. Rounding 11.2 down yields 11
     6. Dividing 105000 packets by 11 yields 9545.45
     7. Rounding 9545.45 packets down yields 9545
     8. Hence, final syntax would be:
        editcap.exe -F pcapng -c 9545 Input_File.cap Output_File.cap

   • -A <Start_Time>
     Saves only the packets whose timestamp is on or after start time.
     The time is given in the following format: YYYY-MM-DD HH:MM:SS
     
     
   • -B <Stop_Time>
     Saves only the packets whose timestamp is before stop time.
     The time is given in the following format: YYYY-MM-DD HH:MM:SS
     
     
   • -i <Seconds_per_File>
     Splits the packet output to different files based on uniform time intervals using a maximum interval of <Seconds_per_File> each.
     Each output file will be created with a suffix -nnnnn, starting with 00000.
     If packets for the specified time interval are written to the output file, the next output file is opened.
     The default is to use a single output file.
     
     

   Example:

   C:\Program Files\Wireshark> editcap.exe  -F pcapng  -c 9545  c:\capture\fw_mon.cap  c:\capture\fw_mon_split.cap
   
   C:\Program Files\Wireshark> dir c:\capture\fw_mon*
   
   21/03/14  13:01        56,066,000 fw_mon.cap
   30/03/14  14:59         6,519,068 fw_mon_split_00000_20140321120013.cap
   30/03/14  14:59         2,583,267 fw_mon_split_00001_20140321120014.cap
   30/03/14  14:59         2,869,181 fw_mon_split_00002_20140321120016.cap
   30/03/14  14:59         3,461,290 fw_mon_split_00003_20140321120018.cap
   30/03/14  14:59         5,574,385 fw_mon_split_00004_20140321120020.cap
   30/03/14  14:59         6,892,660 fw_mon_split_00005_20140321120023.cap
   30/03/14  14:59         5,970,221 fw_mon_split_00006_20140321120028.cap
   30/03/14  14:59         4,515,599 fw_mon_split_00007_20140321120033.cap
   30/03/14  14:59         3,798,614 fw_mon_split_00008_20140321120037.cap
   30/03/14  14:59         7,199,498 fw_mon_split_00009_20140321120042.cap
   30/03/14  14:59         5,358,033 fw_mon_split_00010_20140321120053.cap
   30/03/14  14:59            286,466 fw_mon_split_00011_20140321120100.cap
                 13 File(s)    111,094,282 bytes
                  0 Dir(s)  21,828,050,944 bytes free
   
   C:\Program Files\Wireshark>
   

 

---

 

Related solutions:

• sk30583 - What is FW Monitor?
  
  
• sk39510 - How to configure Wireshark for analysis of FW Monitor captures

Related manual pages:

• http://www.wireshark.org/docs/man-pages/capinfos.html
  
  
• http://www.wireshark.org/docs/man-pages/editcap.html
  
  
• tcpdump on Gaia / SecurePlatform / Linux OS
  
  
• tcpdump on IPSO 6.2 OS
  
  
• snoop on Solaris OS