패킷 분할 방법

패킷 분할 방법

1. editcap 

와이어샤크를 설치할 때 같이 설치되는 파일로 와이어샤크가 설치된 폴더에 들어가면 있는 걸 볼 수 있다.

Editcap 1.12.4 (v1.12.4-0-gb4861da from master-1.12)
Edit and/or translate the format of capture files.
See http://www.wireshark.org for more information.
 
Usage: editcap [options] ... <infile> <outfile> [ <packet#>[-<packet#>] ... ]
 
<infile> and <outfile> must both be present.
A single packet or a range of packets can be selected.
 
Packet selection:
  -r                     keep the selected packets; default is to delete them.
  -A <start time>        only output packets whose timestamp is after (or equal
                         to) the given time (format as YYYY-MM-DD hh:mm:ss).
  -B <stop time>         only output packets whose timestamp is before the
                         given time (format as YYYY-MM-DD hh:mm:ss).
 
Duplicate packet removal:
  -d                     remove packet if duplicate (window == 5).
  -D <dup window>        remove packet if duplicate; configurable <dup window>
                         Valid <dup window> values are 0 to 1000000.
                         NOTE: A <dup window> of 0 with -v (verbose option) is
                         useful to print MD5 hashes.
  -w <dup time window>   remove packet if duplicate packet is found EQUAL TO OR
                         LESS THAN <dup time window> prior to current packet.
                         A <dup time window> is specified in relative seconds
                         (e.g. 0.000001).
 
           NOTE: The use of the 'Duplicate packet removal' options with
           other editcap options except -v may not always work as expected.
           Specifically the -r, -t or -S options will very likely NOT have the
           desired effect if combined with the -d, -D or -w.
 
Packet manipulation:
  -s <snaplen>           truncate each packet to max. <snaplen> bytes of data.
  -C [offset:]<choplen>  chop each packet by <choplen> bytes. Positive values
                         chop at the packet beginning, negative values at the
                         packet end. If an optional offset precedes the length,
                         then the bytes chopped will be offset from that value.
                         Positive offsets are from the packet beginning,
                         negative offsets are from the packet end. You can use
                         this option more than once, allowing up to 2 chopping
                         regions within a packet provided that at least 1
                         choplen is positive and at least 1 is negative.
  -L                     adjust the frame length when chopping and/or snapping
  -t <time adjustment>   adjust the timestamp of each packet;
                         <time adjustment> is in relative seconds (e.g. -0.5).
  -S <strict adjustment> adjust timestamp of packets if necessary to insure
                         strict chronological increasing order. The <strict
                         adjustment> is specified in relative seconds with
                         values of 0 or 0.000001 being the most reasonable.
                         A negative adjustment value will modify timestamps so
                         that each packet's delta time is the absolute value
                         of the adjustment specified. A value of -0 will set
                         all packets to the timestamp of the first packet.
  -E <error probability> set the probability (between 0.0 and 1.0 incl.) that
                         a particular packet byte will be randomly changed.
 
Output File(s):
  -c <packets per file>  split the packet output to different files based on
                         uniform packet counts with a maximum of
                         <packets per file> each.
  -i <seconds per file>  split the packet output to different files based on
                         uniform time intervals with a maximum of
                         <seconds per file> each.
  -F <capture type>      set the output file type; default is pcapng. An empty
                         "-F" option will list the file types.
  -T <encap type>        set the output file encapsulation type; default is the
                         same as the input file. An empty "-T" option will
                         list the encapsulation types.
 
Miscellaneous:
  -h                     display this help and exit.
  -v                     verbose output.
                         If -v is used with any of the 'Duplicate Packet
                         Removal' options (-d, -D or -w) then Packet lengths
                         and MD5 hashes are printed to standard-error.
 

(관리자 권한으로 실행하기 바람)

1. 패킷을 10만개씩 분할

 >editcap.exe -c 100000 original.pcap split.pcap

이런식으로 옵션에 맞게 패킷이 잘린다. 

2. 패킷을 초 단위로 분할

 >editcap.exe -i 60 orginal.pcap split.pcap

3. 특정 시간 범위만 패킷 추출

 >editcap.exe (-v ) -A "2015-09-07 16:00:00" -B "2015-09-07 17:00:00" original.pcap split.pcap

 (-v 는 verbose로 좀 더 자세한 정보를 알려준다. -A와 -B 로 시작과 끝을 정해준다.)

4. 특정 범위만 지정하여 패킷 추출

 >editcap.exe -r original.pcap split.pcap 100-300 500-700

 (100에서 300, 500에서 700까지의 패킷을 저장한다.)

5. 특정 범위만 제외하여 패킷 추출

 >editcap.exe original.pcap split.pcap 10 100-200

 (10, 100에서 200까지의 패킷만 제외하고 저장한다.)

2. SplitCap 

SplitCap은 pcap파일을 세션별로 분할하여 저장해준다.

 

 >SplitCap.exe -r original.pcap

참고 : http://apollo89.com/wordpress/?p=6900