How to separate PCAP by unique IP address

networkingpacket-capturepcapwireshark

I have an hour long PCAP file which has about 60 individual network attacks done on our test network here at work. Each attack comes from a unique IP address which was not used elsewhere during the hour.

I'd like to make 60 pcaps out of this one file, but also include the background traffic as well.

There's no real pattern to when the attacks occur (i.e. there could be 6 in the first minute, and then 1 could run for the next 10 minutes).

I can separate into files which just capture the attack, but I'm really interested in having the background traffic there as well.

To clarify my reason for needing this, I am using this data to attempt to train a machine learning based network sensor.

Best Answer

Assuming that you have the list of attack IPs in a file named attack-ips, the raw dump in capture.pcap, and that the attack range is 1.0.0.0/24, the following script using tcpdump should accomplish this:

while read ATTACKIP; do
    tcpdump -n -r capture.pcap -w "$ATTACKIP.pcap" "host $ATTACKIP or not net 1.0.0.0/24"
done < attack-ips

The filter selects traffic which is either to or from the attack IP, or neither to nor from the attack range (to exclude all the other attack IPs).

Related Solutions

PCAP Files – How to Read PCAP Files in a Friendly Format

Wireshark is probably the best, but if you want/need to look at the payload without loading up a GUI you can use the -X or -A options

tcpdump -qns 0 -X -r serverfault_request.pcap

14:28:33.800865 IP 10.2.4.243.41997 > 69.59.196.212.80: tcp 1097
        0x0000:  4500 047d b9c4 4000 4006 63b2 0a02 04f3  E..}..@.@.c.....
        0x0010:  453b c4d4 a40d 0050 f0d4 4747 f847 3ad5  E;.....P..GG.G:.
        0x0020:  8018 f8e0 1d74 0000 0101 080a 0425 4e6d  .....t.......%Nm
        0x0030:  0382 68a1 4745 5420 2f71 7565 7374 696f  ..h.GET./questio
        0x0040:  6e73 2048 5454 502f 312e 310d 0a48 6f73  ns.HTTP/1.1..Hos
        0x0050:  743a 2073 6572 7665 7266 6175 6c74 2e63  t:.serverfault.c
        0x0060:  6f6d 0d0a 5573 6572 2d41 6765 6e74 3a20  om..User-Agent:.
        0x0070:  4d6f 7a69 6c6c 612f 352e 3020 2858 3131  Mozilla/5.0.(X11
        0x0080:  3b20 553b 204c 696e 7578 2069 3638 363b  ;.U;.Linux.i686;

tcpdump -qns 0 -A -r serverfault_request.pcap

14:29:33.256929 IP 10.2.4.243.41997 > 69.59.196.212.80: tcp 1097
E..}..@.@.c.
...E;...^M.P..^w.G.......t.....
.%.}..l.GET /questions HTTP/1.1
Host: serverfault.com

There are many other tools for reading and getting stats, extracting payloads and so on. A quick look on the number of things that depend on libpcap in the debian package repository gives a list of 50+ tools that can be used to slice, dice, view, and manipulate captures in various ways.

For example.

PCAP – How to Split a PCAP File into Smaller Files

You can use tcpdump itself with the -C, -r and -w options

tcpdump -r old_file -w new_files -C 10

The "-C" option specifies the size of the file to split into. Eg: In the above case new files size will be 10 million bytes each.

Best Answer

Related Solutions

PCAP Files – How to Read PCAP Files in a Friendly Format

PCAP – How to Split a PCAP File into Smaller Files

Related Topic