I have an hour long PCAP file which has about 60 individual network attacks done on our test network here at work. Each attack comes from a unique IP address which was not used elsewhere during the hour.
I'd like to make 60 pcaps out of this one file, but also include the background traffic as well.
There's no real pattern to when the attacks occur (i.e. there could be 6 in the first minute, and then 1 could run for the next 10 minutes).
I can separate into files which just capture the attack, but I'm really interested in having the background traffic there as well.
To clarify my reason for needing this, I am using this data to attempt to train a machine learning based network sensor.
Best Answer
Assuming that you have the list of attack IPs in a file named
attack-ips
, the raw dump incapture.pcap
, and that the attack range is 1.0.0.0/24, the following script usingtcpdump
should accomplish this:The filter selects traffic which is either to or from the attack IP, or neither to nor from the attack range (to exclude all the other attack IPs).