Extracting a host's network traffic from a pcap file

Posted by Diego Assencio on 2015.07.24 under Linux (General)

If you have a pcap file from which you would like to extract all the network traffic associated with a given IP address, i.e., all packets sent to/from this IP address, you can use tcpdump to do the job:

tcpdump -r <in-file.pcap> -w <out-file.pcap> host <ip-address>

This command will read a pcap file called in-file.pcap as a packet stream and write all packets sent to/from the given IP address to an output pcap file out-file.pcap.

If all you want to do is visualize the host traffic on a terminal, just omit the -w <out-file.pcap> part. In this case, tcpdump will automatically convert IP addresses, port numbers, etc. to more human-readable values such as hostnames, "ssh" instead of 22 for the port number etc. You can disable this by adding -n to the end of the command.

As a side note, tcpdump will automatically determine a mapping between IP addresses and MAC addresses, so even traffic associated with the given host which is not IP traffic (e.g. ARP and other layer 2 protocols) may be extracted as well since tcpdump will be able to determine that those packets were sent/received by this host. If you really wish to have only IP traffic on the output, then use the following command:

tcpdump ip -r <in-file.pcap> -w <out-file.pcap> host <ip-address>

to extract only IPv4 traffic, and:

tcpdump ip6 -r <in-file.pcap> -w <out-file.pcap> host <ip-address>

to extract only IPv6 traffic.


No comments posted yet.