TrimPCAP

TrimPCAP logo

TrimPCAP is designed to overcome the issue with truncated sessions by removing data from the end of sessions rather than from the beginning. This also comes with a great bonus when it comes to saving on disk usage, since the majority of the bytes transferred across the Internet are made up of big sessions (a.k.a โ€œElephant Flowsโ€). Thus, by trimming a PCAP file so that it only contains the first 100kB of each TCP and UDP session itโ€™s possible to significantly reduce required storage for that data.

The maximum session size (a.k.a. flow cutoff) can be controlled on the command line, so itโ€™s perfectly allright to use a trim size of 1 MB or even 10 MB in order to only trim the largest flows in a packet capture.

Download trimpcap.py

Usage

Usage: python trimpcap.py <max_bytes_per_flow> <pcap_file(s)>

Example:

user@so:$ python trimpcap.py 102400 /nsm/sensor_data/so-eth1/dailylogs/2017-12-05/*
Trimming capture files to max 102400 bytes per flow.
Dataset reduced by 94.32% = 8186770546 bytes
user@so:$

Dependencies

TrimPCAP requires Python, dpkt and repoze.lru. The python libs can be installed with pip like this:

pip install dpkt
pip install repoze.lru

โœ‚ย ย TrimPCAPย ย 

TrimPCAP is open source software and is released under the GNU General Public License version 2 (GPLv2). The tool can trim PCAP as well as PCAP-NG files, however PCAP-NG files need to have a ".pcapng" suffix.

You can download TrimPCAP from the following URL: https://www.netresec.com/?download=trimpcap