Slicing And Splitting Trace Files

With the introduction of packet capture devices, it is becoming common to get multi-gigabyte trace files.

When you have to analyze huge trace files, you basically only have 3 options:

- Suck it up and find something to do while your protocol analyzer of choice chugs through the trace file.

- Buy an application that specializes in analyzing and reporting using large trace files.

- Slice and/or split trace files to make them manageable.

Each option has its pros and cons but I will focus on the last one since there is many things to consider and some myths to dispel. For example, many people I speak to believe just because you slice a trace file, and it becomes smaller, it will load much faster in Wireshark. The other myth is that working with many split files is cumbersome and takes a lot of time to move on to the next trace file.

In this video, I demonstrate that with the trace file I used, it didn’t matter much if the trace file was sliced and moving between split trace didn’t take much effort.

The important part of the video is understanding my methodology and how you can replicate in your environment, with your equipment to figure out the best approach for you. This would be good to do BEFORE you encounter this scenario in the field.

Here are the commands I used in my Windows batch file. Simply copy and paste this into your favorite text editor (or notepad) and save with a bat extension.

echo off

cls

echo slicing trace file

echo Started at %time%

editcap -s 128 3GB.pcapng sliced.pcapng

echo Completed at %time%

echo .

echo ..

echo .

echo splitting sliced trace file at 500,000 packets

echo Started at %time%

editcap -c 500000 sliced.pcapng split_500000.pcapng

echo Completed at %time%

I encourage you to give it a try and get to know your tools before you are thrown into a scenario where you are handed large trace files.

Check out over 950 videos and articles posted at www.networkdatapedia.com