Has anyone written a utility that simultaneously filters and merges many pcap
-format packet capture files? tshark
and tcpdump
filter but don't merge, mergecap
merges but doesn't filter. I am trying to filter down 64GB of captures (compressed!) into one much smaller file, and it would be nice if I didn't need another several GB of scratch space and two steps, both of them slow.
The utility must run on Linux and ideally would already be packaged in Debian. Ability to read gzipped trace files is highly desirable. Being fast is also highly desirable (tshark
takes ten to thirty minutes to process one of the input files; there are 120 of them). I can live with being limited to libpcap
's filter syntax.
Digging through the reverse dependencies of libpcap in Debian found me tracesplit (one of the command line utilities bundled with libtrace) which does my simultaneous filter and merge, and can process the full data set in 20 minutes, which is probably as good as I'm getting. It's a little weird that you use the split tool to merge with filtration, but whatever.