TrimPCAP

TrimPCAP is designed to overcome the issue with truncated sessions by removing data from the end of sessions rather than from the beginning. This also comes with a great bonus when it comes to saving on disk usage, since the majority of the bytes transferred across the Internet are made up of big sessions (a.k.a “Elephant Flows”). Thus, by trimming a PCAP file so that it only contains the first 100kB of each TCP and UDP session it’s possible to significantly reduce required storage for that data.

The maximum session size (a.k.a. flow cutoff) can be controlled on the command line, so it’s perfectly allright to use a trim size of 1 MB or even 10 MB in order to only trim the largest flows in a packet capture.

Download trimpcap.py

Usage

Usage: python trimpcap.py <max_bytes_per_flow> <pcap_file(s)>

Example:

user@so:$ python trimpcap.py 102400 /nsm/sensor_data/so-eth1/dailylogs/2017-12-05/*
Trimming capture files to max 102400 bytes per flow.
Dataset reduced by 94.32% = 8186770546 bytes
user@so:$

Dependencies

TrimPCAP requires Python, dpkt and repoze.lru. The python libs can be installed with pip like this:

pip install dpkt
pip install repoze.lru

✂ TrimPCAP

TrimPCAP is open source software and is released under the GNU General Public License version 2 (GPLv2). The tool can trim PCAP as well as PCAP-NG files, however PCAP-NG files need to have a ".pcapng" suffix.

You can download TrimPCAP from the following URL: https://www.netresec.com/?download=trimpcap