Using Wiresharkâs built-in tool editcap to split packets
Procedure:
Navigate to the directory, then run editcap.exe -c
Example:
D:\Program Files\Wireshark>editcap.exe -c 60000 pcap_00012_20130130103516.pcap zhiye.pcap
Reference: Wireshark Online User Manual
http://man.lupaworld.com/content/network/wireshark
Reference: Packet Capture Filter Fields
http://man.he.net/man7/pcap-filter
Common Packet Capture Filters
src host host #Capture only packets with source host as host
Example: src host 10.5.8.185
host host #Capture only packets with source or destination host as host
Example: host 10.5.8.185
Any filter expression above can be prefixed with keywords such as: ip, arp, rarp, ip6, in formats like: ip host host, ip src host host. If host is a multi-IP hostname, each IP address will be matched and captured.
ether dst ehost #Capture only packets with destination host as ehost, ehost could be a hostname from /etc/ethers or a number
ether src ehost #Capture only packets with source host as ehost
ether host ehost #Capture only packets with destination or source host as ehost
gateway host #Capture only packets with gateway as host
dst net net #Capture packets for the given network, net can be a name from a network database or a network number
Example: dst net 10.4 #Capture packets for network 10.4
net net/len #Capture packets for the given subnet
Example: net 10.4.0.0/16
port number #Capture only packets for the specified port number
Example: Capture packets for protocols from tcp, udp port 80
port 80
tcp port http #Capture packets from the HTTP tcp port 80
tcp #Capture only tcp protocol packets
udp #Capture only udp protocol packets
dst port port #Capture packets with destination port as port, usually occupied by tcp, udp, etc., the port can be a name in /etc/services or a number. If the name is ambiguous, only port numbers are matched.
Example: dst port 137
src port port #Capture packets with source port as port
Example: src port 455
dst portrange port1-port2 #Capture packets with destination port between port1 and port2
Example: dst portrange 1-400
src portrange port1-port2 #Capture packets with source port between port1 and port2
Example: dst portrange 1-400
Note: The above port or port range expressions can be prefixed with: tcp, udp, in the form of: tcp
src port port #Capture only tcp protocol packets with source port as port
less length #Capture packets with lengths (frame length) less than or equal to length, equivalent to len <= length.
greater length #Capture packets with lengths greater than or equal to length, equivalent to len >= length.
ip protochain protocol Equivalent to ip6 protochain protocol, but for ipv4
ether broadcast #Capture ethernet broadcast packets.
ip broadcast #Capture ipv4 broadcast packets, detecting broadcasts from all 0s to all 1s, and checking subnet masks on the monitored interfaces. If the subnet mask of the monitored interface is unobtainable, it may be that the interface is not configured with a subnet mask, or the monitored interface is Linuxâs âanyâ wildcard interface, leading to capturing packets from more than one interface, resulting in incorrect captures.
ether multicast #Capture ethernet multicast packets
ip multicast #Capture ipv4 multicast packets
ip6 multicast #Capture ipv6 multicast packets
not broadcast and not multicast #Donât capture broadcast or multicast packets
ip #Capture only packets that include specified ip
not arp #Donât capture arp packets
decnet src host #Capture DECNET source address packets with source host as host, host can be a DECNET hostname or an address in the format of 10.123 [DECNET host name support is only available on ULTRIX systems that are configured to run DECNET.]
decnet dst host #Capture DECNET destination address packets with destination host as host
decnet host host #Capture DECNET packets with source or destination address as host
ifname interface #Capture data from the specified interface (applies only to packets logged by OpenBSDâs or FreeBSDâs).
on interface #Same as ifname interface.
rnr num #Capture packets matching the specified pf rule number (applies only to packets logged by OpenBSDâs or FreeBSDâs)