TrimPCAP logo

TrimPCAP is designed to overcome the issue with truncated sessions by removing data from the end of sessions rather than from the beginning. This also comes with a great bonus when it comes to saving on disk usage, since the majority of the bytes transferred across the Internet are made up of big sessions (a.k.a โ€œElephant Flowsโ€). Thus, by trimming a PCAP file so that it only contains the first 100kB of each TCP and UDP session itโ€™s possible to significantly reduce required storage for that data.

The maximum session size (a.k.a. flow cutoff) can be controlled on the command line, so itโ€™s perfectly allright to use a trim size of 1 MB or even 10 MB in order to only trim the largest flows in a packet capture.



Usage: python <max_bytes_per_flow> <pcap_file(s)>


user@so:$ python 102400 /nsm/sensor_data/so-eth1/dailylogs/2017-12-05/*
Trimming capture files to max 102400 bytes per flow.
Dataset reduced by 94.32% = 8186770546 bytes


TrimPCAP requires Python, dpkt and repoze.lru. The python libs can be installed with pip like this:

pip install dpkt
pip install repoze.lru

โœ‚ย ย TrimPCAPย ย 

TrimPCAP is open source software and is released under the GNU General Public License version 2 (GPLv2). The tool can trim PCAP as well as PCAP-NG files, however PCAP-NG files need to have a ".pcapng" suffix.

You can download TrimPCAP from the following URL: