PcapSplitter splitting file by both connection and tcp filter doesn't work as expected

[Peter Liu]

Hello,

    I want the tool to split file by both connection and bpf filter, as I don't want to see UDP, ARP, ICMP...packets in wireshark, so I use following command, but it never really creates files, only prompts "Read and Written 0 packets to 0 files", if I move '-i "tcp"' then it can creates several pcap files. Anyone knows the reason? syntax incorrect? or it only supports either -m or -i, not both?

PcapSplitter -f somepcapfile.pcap -m connection -o ./splitted -i "tcp"

under Ubuntu 16.04.

[PcapPlusPlus Support]

Hi,

I'm sorry for the delayed response.

I tried and it's working on my machine. Could you please share a sample of the pcap you're trying to split?

Thanks,

--
You received this message because you are subscribed to the Google Groups "PcapPlusPlus support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pcapplusplus-sup...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pcapplusplus-support/2ce1c311-af69-45a6-9fc2-843be4835ad2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Dmitry Kshensky]

The same thing happened for me.

Without bpf filter ("-i") all is fine, applying bpf filter results in "Read and written 0 packets to 0 files"

воскресенье, 2 декабря 2018 г. в 16:09:55 UTC+8, pcappl...@gmail.com:

[PcapPlusPlus Support]

Can you please share the pcap file you're using? That'd help me investigate the issue