Extracting Per Capture Port PCAPs

  • Updated on Dec 11, 2024
  • Published on Dec 11, 2024
  • 1 minute(s) read
  • aA
 Prev Next

It can be quite helpful to extract pcaps based on the physical capture port.

Run the following command

 sudo stream_cat -v --follow --bpf "arp" --frame "capture.port=0" > port0.pcap

Change the capture.port==0 to the port of interest

Also change the BPF filter “arp" to a filter of interest

After it has run for few seconds, or a minute or two, CTRL-C to stop and the example .pcap can be used

Example output as follows

fmadio@fmadio20v2-149:~$ sudo stream_cat -v --follow --bpf "arp" --frame "capture.port=0" > port0.pcap
stream_cat: follow mode
BPF Filter [arp] slen: 3 alen: 3
Frame Filter [capture.port=0]
stream_cat ioqueue: 6
Using Filename [fmad-sg2_20241211_0000]
capture port     [] invert:0
   capture port enable:0 []
fmadio capture port map: [0]
fmadio a7130   port map: []
fmadio c3550   port map: []
TimeStamp[0] --pcap
TimeStamp[1] --pcap
TimeStamp[2] --pcap
TimeStamp[3] --pcap
TimeStamp[4] --pcap
TimeStamp[5] --pcap
TimeStamp[6] --pcap
TimeStamp[7] --pcap
calibrating...
0 : 2100010737           2.1000 cycles/nsec offset:0.011 Mhz
Cycles/Sec 2100010737.0000 Std:       0 cycle std(  0.00000000) Target:2.10 Ghz
StartChunkID: 177019215
StartChunk: 177019215 Offset: 0 Stride: 1
StartChunk: 177019215
[20241211_233006]  0M Offset:    0GB Pkt:1733931005_458009301 Length:1522 Capture:1524 ChunkID:177019215 Read[0.000Gbps 0.000 Mpps Pkt:1] Write[0.000Gbps 0.000 Mpps Pkt:0] CPUIdle:41315.289 CPUFetch:0.059 CPUProcss:0.939 CPUSend:0.003
^Cctrl-c 0
20241211_233007 2.451s : Pkt:4 Byte:320 SUCCESS



fmadio@fmadio20v2-149:~$ tcpdump -r port0.pcap -nn | head
reading from file port0.pcap, link-type EN10MB (Ethernet), snapshot length 16384
23:30:05.459006803 ARP, Request who-has 2.1.2.53 tell 27.111.210.49, length 50
23:30:05.558725679 ARP, Request who-has 2.1.2.52 tell 27.111.210.49, length 50
23:30:05.563366559 ARP, Request who-has 192.168.2.45 tell 192.168.2.254, length 50
23:30:05.563440175 ARP, Reply 192.168.2.45 is-at d0:50:99:d4:d0:92, length 50
fmadio@fmadio20v2-149:~$ ^C

The same can be done using a a stored capture file

Use sudo stream_dump to find the specified capture file

Then run the same command with the capture file name above

 sudo stream_cat -v --follow --bpf "arp" --frame "capture.port=0" <insert capture name from abovestep> > port0.pcap