bndabbs · March 7, 2019 00:34
diff --git a/pcap-ng_to_libpcap.md b/pcap-ng_to_libpcap.md
diff --git a/split-traffic.sh b/split-traffic.sh
 # Gather the interface IDs from the pcap:
 tshark -r stream1.part15.pcap -Tfields -e frame.interface_id > interfaces.txt

 # List the unique IDs
 cat interfaces.txt | sort -n | uniq

 # I had two interface IDs (0 and 1), and about 15 capture files.
 # This loops over each file and splits the traffic out to seperate files with only a single interface per-file:
 for i in *.pcap; do tshark -r ${i} -Y frame.interface_id==0 -w split/0/${i}; done
 for i in *.pcap; do tshark -r ${i} -Y frame.interface_id==1 -w split/1/${i}; done

 # As a final task, we have to convert the file format from pcap-ng to libpcap:
 cd split/0
 for i in *.pcap; do sudo editcap -F libpcap ${i} ../../fixed/0/${i}; done

 cd ../1
 for i in *.pcap; do sudo editcap -F libpcap ${i} ../../fixed/1/${i}; done
	# Gather the interface IDs from the pcap:
	tshark -r stream1.part15.pcap -Tfields -e frame.interface_id > interfaces.txt

	# List the unique IDs
	cat interfaces.txt \| sort -n \| uniq

	# I had two interface IDs (0 and 1), and about 15 capture files.
	# This loops over each file and splits the traffic out to seperate files with only a single interface per-file:
	for i in *.pcap; do tshark -r ${i} -Y frame.interface_id==0 -w split/0/${i}; done
	for i in *.pcap; do tshark -r ${i} -Y frame.interface_id==1 -w split/1/${i}; done

	# As a final task, we have to convert the file format from pcap-ng to libpcap:
	cd split/0
	for i in *.pcap; do sudo editcap -F libpcap ${i} ../../fixed/0/${i}; done

	cd ../1
	for i in *.pcap; do sudo editcap -F libpcap ${i} ../../fixed/1/${i}; done