My understanding is that you want to:
- Capture with minimal risk of dropped packets
- Create one pcap file per unique IP address
- Do this really fast without using much CPU or memory
My recommendation would be this:
- Sniff with something fast, like netsniff-ng, and put all packets in one big pcap file. Tcpdump or dumpcap are okay too.
- Use SplitCap to split the big pcap file based on IP addresses like this:
SplitCap.exe -r dump.pcap -s host
You will now have a bunch of PCAP files, one for each observed unique IP address.
