Or in short: sortcap
Medium to large sized PCAPs are tricky to "access" in the sense that all tools will go over the whole file to show details about a certain connection / ip.
We just sort the pcap's packets, ordered by the "connection tuple" (src, sport, dst, dport, proto). This way you can remember the offset of the first packet for one of the tuples, and then efficiently extract all related packets. The connection information can then be indexed somehow so one can search for an ip / port to get the respective offsets.
./sortcap -i <input_pcap> -o <output_pcap>
Or with the Docker image:
docker run --rm --net=none -v $PWD:/pcap r7labs/sortcap -i input.pcap -o output.pcap
If you have a pcapng or pcapng.gz etc, you need to preprocess with mergecap
docker run --rm --net=none -v $PWD:/pcap --entrypoint mergecap r7labs/sortcap -F pcap -w output.pcap input.pcapng.gz
- Support pcapng / gzipped natively
- Other indexing options (see --index)
- Other protocol types?