
tcpsplit v0.1.1
October 2008

Mark Allman
International Computer Science Institute
mallman@icir.org


This utility takes a libpcap packet trace and splits it into some
number of smaller traces, along TCP connection boundaries.  This
allows the breaking apart of large traces into smaller and more
manageable subsets without ending up with part of a TCP connection
in one sub-trace and part in another.

Basic usage:

usage: tcpsplit [options] readfile writespec num_files
  the "writespec" must contain a %d, indicating where to insert the file number
  options:
    -h        usage instructions
    --notcp   only use IP addresses in classification
    --version version information

Examples:

% tcpsplit bigtrace smalltrace.%d 5

    This creates 5 sub-traces called "smalltrace.1", "smalltrace.2",
    etc. from "bigtrace".

In addition, the tool always creates a "weird" file (in this case it
would be "smalltrace.weird").  This file contains any packets that
could not successfully be classified and put into another of the
files.  Normally, this file contains no packets.

Each TCP segment is dumped into a sub-trace based on the two IP
addresses and two port numbers in the packet.  Each time a new
connection is detected the file the connection will be dumped in is
picked based on a least-frequently used scheme (in terms of packets
/ sub-trace).

Each non-TCP segment is dumped into a sub-trace based on the two IP
addresses only.

If the "--notcp" option is given then the TCP port numbers are never
used in determining which sub-trace packets are filed into.  (This
is useful for collecting all traffic between two endpoints
together.)

Building:

  * The tool requires libpcap be installed.

  * The tool was developed under FreeBSD.  Running "make" will build
    tcpsplit.

  * The tool also has been tested under Linux (build with "make -f
    Makefile.linux") and Solaris (build with "make -f
    Makefile.solaris").

  * Yes, I am too stupid to use autoconf.

Please let me know if you have tweaks or comments.



Acknowledgments
---------------
Rick Jones - tweaks for compiling under HP-UX 11.11
Jim Wyllie - signedness bug fixes

