I have a pcap file that has 700 udp flows. I want to select first N (say 5) packets of each flow and discard other packets of that flow and then merge them into 1 pcap. So the pcap file would have (700*5) packets and each 5 packets belong to one flow. Is there any program to do this? If not, what's the easiest way to do it. The OS i am using is Linux. asked 01 Oct '15, 00:00  AminSo |
One Answer:
Use a script to filter the original capture file through tshark using filter 'udp.stream == x' where x is 0...699. This gives you 700 individual capture files with one stream each. Then use editcap to shorten each to N packets. This gives you 700 individual capture files with start start of one stream each. Then use mergecap to compile them into one capture file. That's a basic approach, which may require fine tuning. answered 01 Oct '15, 01:54  Jaap ♦ |
Thank u very much. i had such a idea but wasn't sure about it.
Just one thing. could you please write the tshark command that i should use? I wrote this:
tshark -r input.pcap -w output.pcap -R "udp.stream == 0"
it works but says: "-R without -2 is deprecated. For single-pass filtering use -Y"
By the way, "udp.stream" doesn't exist in wireshark. it has just tcp.stream
What's your Wireshark version? udp.stream was introduced by commit 7e064556, using
git tag --contains 7e064556shows that the first stable version to include it was 1.12.0.Thanks. i have updated wireshark and it has now udp.stream