pcapfilter

pcapfilter is a small tool to filter inputs from a pcap file and generates a reduced pcap file without affecting content

Changes

v0.2:

  • The negation 'not' can be wrote 'no'
  • Add a default rule 'all' who matchs all the packets
    • You can now write rules like 'all no sport 10' to match all the packets except those with the specified source port
    • if only 'no' rules are provided, the 'all' rule is added by default before any other
  • Add kinda Linux support (thanks to fser)

Usage

pcapfilter src dst rules

  1. src: if filename
  2. dst: of filename

rules:

  1. by address: [src|dst|addr] ip_address
  2. by port: [sport|dport|port] portno

Adding the word 'not' or 'no' before a rule does the opposite

Rules matching : last match wins

Examples :

filter all the packets from 192.168.1.1

pcapfilter if capture.pcap of sample.pcap src 192.168.1.1

filter all the packets from 192.168.1.1 and with port 287

pcapfilter if capture.pcap of - src 192.168.1.1 | pcapfilter if - of sample.pcap port 287

filter all the packets from 192.168.1.1 and without port 287

pcapfilter if capture.pcap of - src 192.168.1.1 | pcapfilter if - of sample.pcap all not port 287

Download

FIXME This is a BSD makefile only.

License

The code is delivered under BSD License