GETTING STARTED
What is Cyberspatial Teleseer?
Which Teleseer plan should I pick?
How to sign-up and register for an account
What are the system requirements?
What kind of file types can Teleseer analyze?
Overview of the Teleseer user interface
Publicly available PCAP repositories
ACCOUNT
How to manage your account
How to reset your password
USING TELESEER
Uploading files on the home page
Navigating the network map
Editing and rearranging the network map
Understanding the host inventory
Understanding the external host inventory
Understanding the Connections table
Understanding the Credentials table
Understanding the Dashboard
Exploring the Inspector panel
Exploring the event timeline
TUTORIALS
How to extract PCAP from your timeline
How to identify malicious IP addresses
How to find vulnerable hosts
How to find plaintext credentials
How to export the host inventory
How to export a screenshot of your network map
How to splice PCAPs
How to add PCAPs to a compressed archive
HELP
Contact support
Glossary
Frequently Asked Questions
Troubleshooting

How to splice PCAPs

Network collection files can often be 100 MB+ which makes them slow to load in some programs or rejected from some programs because the file is too large.

Splicing or splitting large PCAP files into several smaller ones may help in this situation.

Sample Files

For this exercise, we will be using files from the US National CyberWatch Mid-Atlantic Collegiate Cyber Defense Competition (MACCDC): https://www.netresec.com/?page=MACCDC

Please download one or more files (.gz) and extract the PCAP to follow along.

Windows Users

Windows Users will need a program like 7-zip to extract .gz files

tcpdump

tcpdump is a linux command-line packet analyzer which can be used to split PCAP files into designated sizes.

Follow the steps below to split up your files into 10 MB chunks:

  • Navigate to the directory containing your PCAP file(s).
$ ls -lh
total 1.0G
-rwxrwxrwx 1 user user 1.0G Nov  8 09:03 maccdc2012_00001.pcap
  • Run the following tcpdump command:
# Example: tcpdump -r <input-file> -w <output-file> -C <desired file size in MB>
$ tcpdump -r maccdc2012_00001.pcap -w maccdc2012_00001_25MB.pcap -C 25
reading from file maccdc2012_00001.pcap, link-type EN10MB (Ethernet), snapshot length 4096

$ ls -lh
user@thelinux:/mnt/d/pcaps/maccdc/maccdc-2012/playground$ ls -lh
-rwxrwxrwx 1 user user  24M Nov  8 09:19 maccdc2012_00001_25MB.pcap
-rwxrwxrwx 1 user user  24M Nov  8 09:19 maccdc2012_00001_25MB.pcap1
-rwxrwxrwx 1 user user  24M Nov  8 09:19 maccdc2012_00001_25MB.pcap10
-rwxrwxrwx 1 user user  23M Nov  8 09:19 maccdc2012_00001_25MB.pcap11
-rwxrwxrwx 1 user user  24M Nov  8 09:19 maccdc2012_00001_25MB.pcap2
-rwxrwxrwx 1 user user  24M Nov  8 09:19 maccdc2012_00001_25MB.pcap3
-rwxrwxrwx 1 user user  24M Nov  8 09:19 maccdc2012_00001_25MB.pcap4
-rwxrwxrwx 1 user user  24M Nov  8 09:19 maccdc2012_00001_25MB.pcap5
-rwxrwxrwx 1 user user  24M Nov  8 09:19 maccdc2012_00001_25MB.pcap6
-rwxrwxrwx 1 user user  24M Nov  8 09:19 maccdc2012_00001_25MB.pcap7
-rwxrwxrwx 1 user user  24M Nov  8 09:19 maccdc2012_00001_25MB.pcap8
-rwxrwxrwx 1 user user  24M Nov  8 09:19 maccdc2012_00001_25MB.pcap9
-rwxrwxrwx 1 user user 1.0G Nov  8 09:03 maccdc2012_00001.pcap
...

editcap

editcap is a tool that comes with Wireshark and works on most operating systems.

Unlike tcpdump, editcap allows you to split files based on packet per file or seconds per file.

Follow the steps below to split up your files into 1000 packet chunks (NOTE: this will create several thousand files for the MACCDC file sample):

  • Navigate to the directory containing your PCAP file(s).
$ ls -lh
total 1.0G
-rwxrwxrwx 1 user user 1.0G Nov  8 09:03 maccdc2012_00001.pcap
  • Run the following editcap command (Linux):
# Example: editcap -c <packet size> <input-file> <output-file>
$ editcap -c 1000 maccdc2012_00001.pcap output.pcap

$ ls -lh
-rwxrwxrwx 1 user user 1.0G Nov  8 09:03 maccdc2012_00001.pcap
-rwxrwxrwx 1 user user 698K Nov  8 09:22 output_00000_20120316093007.pcap
-rwxrwxrwx 1 user user 306K Nov  8 09:22 output_00001_20120316093008.pcap
-rwxrwxrwx 1 user user 176K Nov  8 09:22 output_00002_20120316093008.pcap
-rwxrwxrwx 1 user user 105K Nov  8 09:22 output_00003_20120316093009.pcap
-rwxrwxrwx 1 user user 104K Nov  8 09:22 output_00004_20120316093009.pcap
-rwxrwxrwx 1 user user 986K Nov  8 09:22 output_00005_20120316093009.pcap
-rwxrwxrwx 1 user user 183K Nov  8 09:22 output_00006_20120316093009.pcap
-rwxrwxrwx 1 user user 229K Nov  8 09:22 output_00007_20120316093010.pcap
-rwxrwxrwx 1 user user 453K Nov  8 09:22 output_00008_20120316093010.pcap
-rwxrwxrwx 1 user user 716K Nov  8 09:22 output_00009_20120316093011.pcap
-rwxrwxrwx 1 user user 102K Nov  8 09:22 output_00010_20120316093011.pcap
...
  • Run the following editcap command (Windows Powershell):
# Example: & 'C:\Program Files\Wireshark\editcap.exe' -c <packet size> <input-file> <output-file>

PS C:\> & 'C:\Program Files\Wireshark\editcap.exe' -c 1000 D:\pcaps\maccdc\maccdc-2012\playground\maccdc2012_00001.pcap D:\output_windows.pcap

PS D:\> dir
-a----         11/8/2022   9:39 AM         713892 output_windows_00000_20120316093007.pcap
-a----         11/8/2022   9:39 AM         312604 output_windows_00001_20120316093008.pcap
-a----         11/8/2022   9:39 AM         180032 output_windows_00002_20120316093008.pcap
-a----         11/8/2022   9:39 AM         106848 output_windows_00003_20120316093009.pcap
-a----         11/8/2022   9:39 AM         105564 output_windows_00004_20120316093009.pcap
-a----         11/8/2022   9:39 AM        1009400 output_windows_00005_20120316093009.pcap
-a----         11/8/2022   9:39 AM         186556 output_windows_00006_20120316093009.pcap
-a----         11/8/2022   9:39 AM         234256 output_windows_00007_20120316093010.pcap
-a----         11/8/2022   9:39 AM         463740 output_windows_00008_20120316093010.pcap
-a----         11/8/2022   9:39 AM         732184 output_windows_00009_20120316093011.pcap
-a----         11/8/2022   9:39 AM         104324 output_windows_00010_20120316093011.pcap
...

SplitCap

SplitCap is a tool from NETRESEC which allows user to split files based on various criterion.

Follow the steps below to split up your files into 1000 packet chunks (NOTE: this will create several thousand files for the MACCDC file sample):

  • Navigate to the directory containing your PCAP file(s).
  • Run the following splitcap command (Windows Powershell):
# Example: & '.\SplitCap.exe' -s <GROUP> -r <input_file> -o <output_directory>

PS C:\> & '.\SplitCap.exe' -S packets 1000 -r D:\pcaps\maccdc\maccdc-2012\playground\maccdc2012_00001.pcap -o D:\
Splitting pcap file into seperate pcap files...
4%
 
PS D:\> dir
-a----         11/8/2022   9:49 AM         690000 maccdc2012_00001.pcap.Packets_0.pcap
-a----         11/8/2022   9:49 AM         290000 maccdc2012_00001.pcap.Packets_1.pcap
-a----         11/8/2022   9:49 AM          80000 maccdc2012_00001.pcap.Packets_10.pcap
-a----         11/8/2022   9:49 AM          80000 maccdc2012_00001.pcap.Packets_100.pcap
-a----         11/8/2022   9:49 AM         130000 maccdc2012_00001.pcap.Packets_101.pcap
-a----         11/8/2022   9:49 AM         160000 maccdc2012_00001.pcap.Packets_102.pcap
-a----         11/8/2022   9:49 AM         190000 maccdc2012_00001.pcap.Packets_103.pcap
-a----         11/8/2022   9:49 AM         140000 maccdc2012_00001.pcap.Packets_104.pcap
-a----         11/8/2022   9:49 AM          90000 maccdc2012_00001.pcap.Packets_105.pcap
-a----         11/8/2022   9:49 AM         110000 maccdc2012_00001.pcap.Packets_106.pcap
-a----         11/8/2022   9:49 AM         210000 maccdc2012_00001.pcap.Packets_107.pcap
-a----         11/8/2022   9:49 AM         150000 maccdc2012_00001.pcap.Packets_108.pcap
-a----         11/8/2022   9:49 AM         180000 maccdc2012_00001.pcap.Packets_109.pcap
...

TABLE OF CONTENTS
Creating and deleting projects
How to add additional files to your project
How to add project notes
How to change the mouse tracking speed
How to export the Credentials table
How to export the External Hosts inventory
How to filter tables by selected hosts
How to filter the timeline by selected host(s)
How to filter the topology
How to identify a host's physical location
How to make a custom view
How to pin table columns
How to search for hosts
How to see which protocols are using the most traffic
How to sort inventory tables
What is Cyberspatial Teleseer?
Which Teleseer plan should I pick?
How to sign-up and register for an account
What are the system requirements?
What kind of file types can Teleseer analyze?
Overview of the Teleseer user interface
Publicly available PCAP repositories
How to manage your account
How to reset your password
Uploading files on the home page
Navigating the network map
Editing and rearranging the network map
Understanding the host inventory
Understanding the external host inventory
Understanding the Connections table
Understanding the Credentials table
Understanding the Dashboard
Exploring the Inspector panel
Exploring the event timeline
How to extract PCAP from your timeline
How to identify malicious IP addresses
How to find vulnerable hosts
How to find plaintext credentials
How to export the host inventory
How to export a screenshot of your network map
How to splice PCAPs
How to add PCAPs to a compressed archive
Contact support
Glossary
Frequently Asked Questions
Troubleshooting
Careers
Terms of Service
Privacy Policy
Contact us
Docs
Copyright © 2024 All rights reserved.