{"id":13775050,"url":"https://github.com/f18m/large-pcap-analyzer","last_synced_at":"2026-01-12T15:39:59.569Z","repository":{"id":29492236,"uuid":"33029817","full_name":"f18m/large-pcap-analyzer","owner":"f18m","description":"A command-line utility program that performs some simple operations on PCAP files (Wireshark/tcpdump traces) very quickly. Allows you to manipulate very large PCAP files that cannot be easily handled with other software like Wireshark (or tshark). Supports filtering encapsulated GTPu frames. Easily extendible.","archived":false,"fork":false,"pushed_at":"2025-11-22T07:46:19.000Z","size":17382,"stargazers_count":113,"open_issues_count":5,"forks_count":20,"subscribers_count":8,"default_branch":"master","last_synced_at":"2025-12-02T00:34:30.023Z","etag":null,"topics":["analyzer","gtpu","networking","pcap","tcpdump"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/f18m.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG","contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":"f18m"}},"created_at":"2015-03-28T10:43:19.000Z","updated_at":"2025-12-01T19:15:14.000Z","dependencies_parsed_at":"2023-01-14T15:15:21.556Z","dependency_job_id":"666a3082-05c9-4650-a83e-fa85a3c71d3a","html_url":"https://github.com/f18m/large-pcap-analyzer","commit_stats":null,"previous_names":[],"tags_count":16,"template":false,"template_full_name":null,"purl":"pkg:github/f18m/large-pcap-analyzer","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f18m%2Flarge-pcap-analyzer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f18m%2Flarge-pcap-analyzer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f18m%2Flarge-pcap-analyzer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f18m%2Flarge-pcap-analyzer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/f18m","download_url":"https://codeload.github.com/f18m/large-pcap-analyzer/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f18m%2Flarge-pcap-analyzer/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28341199,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-12T12:22:26.515Z","status":"ssl_error","status_checked_at":"2026-01-12T12:22:10.856Z","response_time":98,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["analyzer","gtpu","networking","pcap","tcpdump"],"created_at":"2024-08-03T17:01:33.204Z","updated_at":"2026-01-12T15:39:59.547Z","avatar_url":"https://github.com/f18m.png","language":"C++","funding_links":["https://github.com/sponsors/f18m"],"categories":["\u003ca id=\"b293f791ec9366957733415323755aa6\"\u003e\u003c/a\u003eTcpdump"],"sub_categories":[],"readme":"[![Build Status](https://github.com/f18m/large-pcap-analyzer/actions/workflows/main.yml/badge.svg)](https://github.com/f18m/large-pcap-analyzer/actions)\n\n# Large PCAP file analyzer\nLarge PCAP file analyzer is a command-line utility program that performs some simple operations\non .PCAP files very quickly. This allows you to manipulate also very large PCAP files \nthat cannot be easily handled with other software like \u003ca href=\"https://www.wireshark.org/\"\u003eWireshark\u003c/a\u003e.\n\nCurrently it builds and works on Linux but actually nothing prevents it from running on Windows.\nIt is based over the well-known libpcap.\n\nSome features of this utility: \n\n1. Extract packets matching a simple BPF filter (tcpdump syntax).\n2. Extract packets matching plain text.\n3. Computes the tcpreplay speed required to respect packet timestamps.\n4. Understands GTPu tunnelling and allows filtering via BPF filters (tcpdump syntax) the encapsulated (inner) GTPu frames.\n5. Changes PCAP duration, changing the timestamp inside each packet.\n6. Provides \"traffic reports\" e.g. the connections that transport the most bytes or packets.\n\n\n# Table of Contents\n\n* [How to install](#how-to-install)\n* [Command line help](#command-line-help)\n* [Example run 1: time analysis](#example-run-1-time-analysis)\n* [Example run 2: raw search](#example-run-2-raw-search)\n* [Example run 3: tcpdump-like](#example-run-3-tcpdump-like)\n* [Example run 4: GTPu filtering](#example-run-4-gtpu-filtering)\n* [Example run 5: valid TCP stream filtering](#example-run-5-valid-tcp-stream-filtering)\n* [Example run 6: set PCAP duration resetting IFG](#example-run-6-set-pcap-duration-resetting-ifg)\n* [Example run 7: set PCAP duration preserving IFG](#example-run-7-set-pcap-duration-preserving-ifg)\n* [Example run 8: change PCAP timestamps](#example-run-8-change-pcap-timestamps)\n* [Example run 9: generate traffic reports](#example-run-9-generate-traffic-reports)\n\n\n\n# How to install\n\nYou can use one of the following installation options:\n\n| Link to Install Info | Build Status  | Applies to |\n|:--------------------:|:-------------:|:----------:|\n| [RPM repository](https://copr.fedorainfracloud.org/coprs/f18m/large-pcap-analyzer/) | ![Build status](https://copr.fedorainfracloud.org/coprs/f18m/large-pcap-analyzer/package/large-pcap-analyzer/status_image/last_build.png) | CentOS, RHEL, Fedora, RockyLinux, AlmaLinux, openSUSE Tumbleweed |\n| [Snap](https://snapcraft.io/large-pcap-analyzer) | [![Get it from the Snap Store](https://snapcraft.io/static/images/badges/en/snap-store-black.svg)](https://snapcraft.io/large-pcap-analyzer) | Arch Linux, Debian, Fedora, Gentoo, Linux Mint, openSUSE, Raspbian, Ubuntu, etc. If you have [snapd](https://docs.snapcraft.io/core/install) installed, just run ```snap install large-pcap-analyzer``` |\n\nFor developers: link to [Snapcraft page for large PCAP analyzer](https://build.snapcraft.io/user/f18m/large-pcap-analyzer)\n\nAs for most Linux software, you can also install the software by building it from sources:\n\n```\n\t$ wget https://github.com/f18m/large-pcap-analyzer/archive/3.8.2.tar.gz\n\t$ tar xvzf 3.8.2.tar.gz\n\t$ cd large-pcap-analyzer-3.8.2/\n\t$ apt install -y automake libpcap-dev diffutils tcpdump tshark   # or similar command to fetch dependencies\n\t$ ./configure \u0026\u0026 make\n\t$ sudo make install\n```\n\n\n# Command line help\n\n```\n\tlarge-pcap-analyzer version 3.8.2, built with libpcap libpcap version 1.9.1 (with TPACKET_V3)\n\tby Francesco Montorsi, (c) 2014-2023\n\tUsage:\n\tlarge-pcap-analyzer [options] somefile.pcap ...\n\tMiscellaneous options:\n\t-h,--help                this help\n\t-v,--verbose             be verbose\n\t-V,--version             print version and exit\n\t-q,--quiet               suppress all normal output, be script-friendly\n\t-w \u003coutfile.pcap\u003e, --write \u003coutfile.pcap\u003e\n\t\t\t\t\t\t\twhere to save the PCAP containing the results of filtering/processing\n\t-a,--append              open output file in APPEND mode instead of TRUNCATE\n\tFiltering options (i.e., options to select the packets to save in \u003coutfile.pcap\u003e):\n\t-Y \u003ctcpdump_filter\u003e, --display-filter \u003ctcpdump_filter\u003e\n\t\t\t\t\t\t\tthe PCAP filter to apply on packets (will be applied on outer IP frames for GTPu pkts)\n\t-G \u003cgtpu_tcpdump_filter\u003e, --inner-filter \u003cgtpu_tcpdump_filter\u003e\n\t\t\t\t\t\t\tthe PCAP filter to apply on inner/encapsulated GTPu frames (or outer IP frames for non-GTPu pkts)\n\t-C \u003cconn_filter\u003e, --connection-filter \u003cconn_filter\u003e\n\t\t\t\t\t\t\t4-tuple identifying a connection to filter; syntax is 'IP1:port1 IP2:port2'\n\t-S \u003csearch-string\u003e, --string-filter \u003csearch-string\u003e\n\t\t\t\t\t\t\ta string filter that will be searched inside loaded packets\n\t-T \u003csyn|full3way|full3way-data\u003e, --tcp-filter  \u003csyn|full3way|full3way-data\u003e\n\t\t\t\t\t\t\tfilter for entire TCP connections having \n\t\t\t\t\t\t\t\t-T syn: at least 1 SYN packet\n\t\t\t\t\t\t\t\t-T full3way: the full 3way handshake\n\t\t\t\t\t\t\t\t-T full3way-data: the full 3way handshake and data packets\n\tTimestamp processing options (i.e., options that might change packets saved in \u003coutfile.pcap\u003e):\n\t-t,--timing              provide timestamp analysis on loaded packets\n\t--set-duration \u003cHH:MM:SS\u003e\n\t\t\t\t\t\t\talters packet timestamps so that the time difference between first and last packet\n\t\t\t\t\t\t\tmatches the given amount of time. All packets in the middle will be equally spaced in time.\n\t--set-duration-preserve-ifg \u003cHH:MM:SS\u003e\n\t\t\t\t\t\t\talters packet timestamps so that the time difference between first and last packet\n\t\t\t\t\t\t\tmatches the given amount of time. Interframe gaps (IFG) are scaled accordingly.\n\t--set-timestamps-from \u003cinfile.txt\u003e\n\t\t\t\t\t\t\talters all packet timestamps using the list of Unix timestamps contained in the given text file;\n\t\t\t\t\t\t\tthe file format is: one line per packet, a single Unix timestamp in seconds (floating point supported)\n\t\t\t\t\t\t\tper line; the number of lines must match exactly the number of packets of the filtered input PCAP.\n\tReporting options:\n\t-p,--stats               provide basic parsing statistics on loaded packets\n\t--report \u003creport-name\u003e\n\t\t\t\t\t\t\tprovide a report on loaded packets; list of supported reports is:\n\t\t\t\t\t\t\t\tallflows_by_pkts: print in CSV format all the flows sorted by number of packets\n\t\t\t\t\t\t\t\ttop10flows_by_pkts: print in CSV format the top 10 flows sorted by number of packets\n\t\t\t\t\t\t\t\tallflows_by_pkts_outer: same as \u003callflows_by_pkts\u003e but stop at GTPu outer tunnel, don't parse the tunneled packet\n\t\t\t\t\t\t\t\ttop10flows_by_pkts_outer: same as \u003ctop10flows_by_pkts\u003e but stop at GTPu outer tunnel, don't parse the tunneled packet\n\t--report-write \u003coutfile.csv\u003e\n\t\t\t\t\t\t\tsave the report specified by --report in CSV format into \u003coutfile.csv\u003e\n\tInputs:\n\tsomefile.pcap            the large PCAP trace to analyze; more than 1 file can be specified.\n\n\tNote that:\n\t-Y and -G options accept filters expressed in tcpdump/pcap_filters syntax. See http://www.manpagez.com/man/7/pcap-filter/ for more info.\n\tA 'flow' is defined as a unique tuple of (srcIP, srcPort, dstIP, dstPort) for UDP,TCP,SCTP protocols.\n\tOther PCAP utilities you may be looking for are:\n\t* mergecap: to merge PCAP files\n\t* tcpdump: can be used to split PCAP files (and more)\n\t* editcap: can be used to manipulate timestamps in PCAP files (and more)\n\t* tcprewrite: can be used to rewrite some packet fields in PCAP files (and more)\n```\n\n# Example run 1: time analysis\n\nIn this example we are interested in understanding how many seconds of traffic are contained in a PCAP file:\n\n```\n$ large_pcap_analyzer -t large.pcap \n\nNo PCAP filter set: all packets inside the PCAP will be loaded.\n8M packets (8751268 packets) were loaded from PCAP.\nTcpreplay should replay this PCAP at an average of 73.34Mbps / 14580.72pps to respect PCAP timings.\n```\n\nNote that to load a 5.6GB PCAP only 1.9secs were required (on a 3GHz Intel Xeon CPU).\nThis translates to a processing throughput of about 3GB/sec (in this mode).\nRAM memory consumption was about 4MB.\n\n\n# Example run 2: raw search\n\nIn this example we are interested in selecting any packet that may contain inside it the string \"youtube\":\n\n```\n$ large_pcap_analyzer -v -S \"youtube\" -w out.pcap bigcapture.pcap\n\nAnalyzing PCAP file 'bigcapture.pcap'...\nThe PCAP file has size 5.50GiB = 5636MiB.\nNo PCAP filter set: all packets inside the PCAP will be loaded.\nSuccessfully opened output PCAP 'out.pcap'\n1M packets loaded from PCAP...\n2M packets loaded from PCAP...\n3M packets loaded from PCAP...\n4M packets loaded from PCAP...\n5M packets loaded from PCAP...\n6M packets loaded from PCAP...\n7M packets loaded from PCAP...\n8M packets loaded from PCAP...\nProcessing took 5 seconds.\n8M packets (8751268 packets) were loaded from PCAP.\n0M packets (9825 packets) matched the filtering criteria (search string / PCAP filters / valid TCP streams filter) and were saved into output PCAP.\n```\n\nNote that to load, search and extract packets from a 5.6GB PCAP only 5secs were required (on a 3GHz Intel Xeon CPU).\nThis translates to a processing throughput of about 1GB/sec (in this mode).\nRAM memory consumption was about 4MB.\n\n\n# Example run 3: tcpdump-like\n\nIn this example we are interested in selecting packets having a VLAN tag and directed or coming from an HTTP server:\n\n```\n$ large_pcap_analyzer -v -Y 'vlan and tcp port 80' -w out.pcap bigcapture.pcap\n\nSuccessfully compiled PCAP filter: vlan and tcp port 80\nAnalyzing PCAP file 'bigcapture.pcap'...\nThe PCAP file has size 5.50GiB = 5636MiB.\nSuccessfully opened output PCAP 'out.pcap'\n1M packets loaded from PCAP (matching PCAP filter)...\n2M packets loaded from PCAP (matching PCAP filter)...\n3M packets loaded from PCAP (matching PCAP filter)...\n4M packets loaded from PCAP (matching PCAP filter)...\n5M packets loaded from PCAP (matching PCAP filter)...\n6M packets loaded from PCAP (matching PCAP filter)...\n7M packets loaded from PCAP (matching PCAP filter)...\n8M packets loaded from PCAP (matching PCAP filter)...\nProcessing took 3 seconds.\n8M packets (8751268 packets) were loaded from PCAP (matching PCAP filter).\n0M packets (1147 packets) matched the filtering criteria (search string / PCAP filters / valid TCP streams filter) and were saved into output PCAP.\n```\n\nNote that to load, search and extract packets from a 2GB PCAP only 1sec was required (on a 3GHz Intel Xeon CPU).\nRAM memory consumption was about 4MB.\n\n\n# Example run 4: GTPu filtering\n\nIn this example we are interested in selecting packets GTPu-encapsulated for a specific TCP flow between the\nIP address 1.1.1.1 \u003c-\u003e 1.1.1.2, on TCP ports 80 \u003c-\u003e 10000:\n\n\n```\n$ large_pcap_analyzer -v -G '(host 1.1.1.1 or host 1.1.1.2) and (port 80 or port 10000)' -w out.pcap bigcapture.pcap\n\nSuccessfully compiled GTPu PCAP filter: (host 1.1.1.1 or host 1.1.1.2) and (port 80 or port 10000)\nAnalyzing PCAP file 'bigcapture.pcap'...\nThe PCAP file has size 5.50GiB = 5636MiB.\nSuccessfully opened output PCAP 'out.pcap'\n1M packets loaded from PCAP...\n2M packets loaded from PCAP...\n3M packets loaded from PCAP...\n4M packets loaded from PCAP...\n5M packets loaded from PCAP...\n6M packets loaded from PCAP...\n7M packets loaded from PCAP...\n8M packets loaded from PCAP...\nProcessing took 3 seconds.\n8M packets (8751268 packets) were loaded from PCAP.\n8M packets (8501213 packets) loaded from PCAP are GTPu packets (97.1%).\n0M packets (0 packets) matched the filtering criteria (search string / PCAP filters / valid TCP streams filter) and were saved into output PCAP.\n```\n\n\n# Example run 5: valid TCP stream filtering\n\nIn this example we are interested in selecting packets of TCP connections that have at least 1 SYN and 1 SYN-ACK packet\n(if GTPu packets are found this analysis is done for the encapsulated TCP connections):\n\n```\n$ large_pcap_analyzer -v -T -w out.pcap bigcapture.pcap\n\nAnalyzing PCAP file 'bigcapture.pcap'...\nThe PCAP file has size 5.50GiB = 5636MiB.\nSuccessfully opened output PCAP 'out.pcap'\nValid TCP filtering enabled: performing first pass\n1M packets loaded from PCAP...\n2M packets loaded from PCAP...\n3M packets loaded from PCAP...\n4M packets loaded from PCAP...\n5M packets loaded from PCAP...\n6M packets loaded from PCAP...\n7M packets loaded from PCAP...\n8M packets loaded from PCAP...\nProcessing took 2 seconds.\nDetected 1 invalid packets, 721214 non-TCP packets and 37436 valid TCP flows (on a total of 85878 flows).\nValid TCP filtering enabled: performing second pass\nAnalyzing PCAP file 'bigcapture.pcap'...\nThe PCAP file has size 5.50GiB = 5636MiB.\n1M packets loaded from PCAP...\n2M packets loaded from PCAP...\n3M packets loaded from PCAP...\n4M packets loaded from PCAP...\n5M packets loaded from PCAP...\n6M packets loaded from PCAP...\n7M packets loaded from PCAP...\n8M packets loaded from PCAP...\nProcessing took 2 seconds.\n8M packets (8751268 packets) were loaded from PCAP.\n0M packets (4498 packets) matched the filtering criteria (search string / PCAP filters / valid TCP streams filter) and were saved into output PCAP.\n```\n\nNote that to load, search and extract packets from a 5.6GB PCAP only 4.5secs were required (on a 3GHz Intel Xeon CPU).\nThis translates to a processing throughput of about 1GB/sec (in this mode).\n\n\n# Example run 6: set PCAP duration resetting IFG\n\nIn this example a PCAP that would take 8 minutes to be replayed (without top speed option) will be\nmodified to take just 1.2 seconds to replay.\nTo better explain the result of the processing consider the following table where the original PCAP duration\nis reset from 20secs down to 10secs using `--set-duration` option:\n\n| Frame index | Frame relative time in original PCAP | Frame relative time in output PCAP |\n|-------------|--------------------------------------|------------------------------------|\n| 1           | +0.0                                 | +0.0                               |\n| 2           | +1.0                                 | +2.5                               |\n| 3           | +15.0                                | +5.0                               |\n| 4           | +18.0                                | +7.5                               |\n| 5           | +20.0                                | +10.0                              |\n\nSee the following example session:\n\n```\n$ large_pcap_analyzer --timing test-pcaps/ipv4_gtpu_https.pcap\n0M packets (18201 packets) were loaded from PCAP.\nLast packet has a timestamp offset = 473.48sec = 7.89min = 0.13hours\nTcpreplay should replay this PCAP at an average of 0.27Mbps / 38.44pps to respect PCAP timings.\n\n$ large_pcap_analyzer --set-duration 1.2 --write /tmp/test.pcap test-pcaps/ipv4_gtpu_https.pcap \nPCAP duration will be set to: 1.200000 secs\nSuccessfully opened output PCAP '/tmp/test.pcap'\nPacket processing operations require 2 passes: performing first pass\n0M packets (18201 packets) were loaded from PCAP.\nPacket processing operations require 2 passes: performing second pass\n0M packets (18201 packets) were loaded from PCAP.\n0M packets (18201 packets) were processed and saved into output PCAP.\n\n$ large_pcap_analyzer --timing /tmp/test.pcap \n0M packets (18201 packets) were loaded from PCAP.\nLast packet has a timestamp offset = 1.20sec = 0.02min = 0.00hours\nTcpreplay should replay this PCAP at an average of 105.00Mbps / 15167.50pps to respect PCAP timings.\n```\n\nNote that using `--set-duration` all timestamps in the resulting PCAP will have an equal inter-frame-gap (IFG). \nIn other words the original IFGs will be lost.\n\n\n# Example run 7: set PCAP duration preserving IFG\n\nRepeating example #6 using `--set-duration-preserve-ifg` instead of `--set-duration` will give the same\nresult as far as the total PCAP duration is concerned, but the ratio between the new PCAP IFGs and the original\nPCAP IFGs will be preserved.\nTo better explain the result of the processing consider the following table where the original PCAP duration\nis scaled down by a factor of 10 using `--set-duration-preserve-ifg`:\n\n| Frame index | Frame relative time in original PCAP | Frame relative time in output PCAP |\n|-------------|--------------------------------------|------------------------------------|\n| 1           | +0.0                                 | +0.0                               |\n| 2           | +1.0                                 | +0.1                               |\n| 3           | +15.0                                | +1.5                               |\n| 4           | +16.0                                | +1.6                               |\n\nAs you can see the inter-frame-gaps (IFGs) among the packets are preserved: the packet #4 in the original PCAP\nhas a timestamp difference from packet #1 equal to 16secs that become 1.6secs in the rescaled PCAP.\nThe same ratio is found considering the timestamp difference between packet #4 and packet #3: it is 1sec in\nthe original PCAP and 0.1sec in the rescaled output PCAP.\n\n```\n$ large_pcap_analyzer --set-duration-preserve-ifg 1.2 --write /tmp/test.pcap test-pcaps/ipv4_gtpu_https.pcap \nPCAP duration will be set to: 1.200000 secs\nSuccessfully opened output PCAP '/tmp/test.pcap'\nPacket processing operations require 2 passes: performing first pass\n0M packets (18201 packets) were loaded from PCAP.\nPacket processing operations require 2 passes: performing second pass\n0M packets (18201 packets) were loaded from PCAP.\n0M packets (18201 packets) were processed and saved into output PCAP.\n\n$ large_pcap_analyzer --timing /tmp/test.pcap \n0M packets (18201 packets) were loaded from PCAP.\nLast packet has a timestamp offset = 1.20sec = 0.02min = 0.00hours\nTcpreplay should replay this PCAP at an average of 105.00Mbps / 15167.50pps to respect PCAP timings.\n```\n\n\n# Example run 8: change PCAP timestamps\n\nIn this example the timestamps of 2 packets are manually tweaked.\nFirst of all current timestamps are extracted using a tool like [tshark](https://www.wireshark.org/docs/man-pages/tshark.html),\nin Epoch format:\n\n```\n$ tshark -F pcap -r test-pcaps/timing-test.pcap -Tfields -e frame.time_epoch \u003epkts_timings.txt\n```\n\nThen the timestamps of the 10-th packet and 11-th packet are replaced with the absolute time \"Saturday 9 February 2019 19:20:00\",\ncorresponding to the Unix timestamp value 1549740000 (you can use an online tool like https://www.epochconverter.com/),\nin the dump of packet timestamps:\n\n```\n$ sed -i '10s/.*/1549740000.000000000/' pkts_timings.txt\n$ sed -i '11s/.*/1549740000.100000000/' pkts_timings.txt\n```\n\nFinally using the Large PCAP file analyzer tool, the capture trace is actually modified and the result is saved into the\n\"out.pcap\" file:\n\n```\n$ large_pcap_analyzer --write out.pcap --set-timestamps-from pkts_timings.txt test-pcaps/timing-test.pcap\n```\n\n\n# Example run 9: generate traffic reports\n\nIn this example we are interested in having a quick overview of the top 10 connections contained in the PCAP file\nthat carry the highest number of packets.\nTo achieve that, from the --help overview, the \"top10flows_by_pkts\" traffic report is selected:\n\n```\n$ ./large_pcap_analyzer --report top10flows_by_pkts test-pcaps/ipv4_gtpu_https.pcap \n0M packets (18201 packets) were loaded from PCAP.\nPacket parsing failed for 0/18201 pkts. Total number of packets/flows detected: 18201/213.\nTraffic report in CSV format:\nflow_num,num_pkts,%pkts,num_bytes,%bytes,flow_hash,ip_src,ip_dst,ip_proto,port_src,port_dst\n0,5562,30.56,5779325,34.98,5346E247DCBCA579,10.85.73.237,202.122.145.141,6,49789,443\n1,5043,27.71,5262864,31.86,359E06A6A0671690,10.85.73.237,202.122.145.141,6,40461,443\n2,4328,23.78,4470177,27.06,D0D80A5F6A8B3F4F,10.85.73.237,202.122.145.141,6,50059,443\n3,849,4.66,214889,1.30,13111CC415F92E54,10.85.73.237,58.71.141.53,6,49473,10000\n4,209,1.15,46214,0.28,5255AFFF70F6BFB5,10.85.73.237,58.71.141.53,6,49407,10000\n5,144,0.79,33478,0.20,DE86E0ED622568E9,10.85.73.237,208.67.76.95,6,49461,443\n6,112,0.62,74928,0.45,EC297958A1CA3946,10.85.73.237,216.58.196.74,6,54805,443\n7,101,0.55,28010,0.17,E26097004F952A54,10.85.73.237,208.67.76.95,6,49460,443\n8,59,0.32,10551,0.06,D3CD1D4C2E38C2C2,10.85.73.237,121.123.204.19,6,49458,80\n9,56,0.31,17508,0.11,54FD688F6BAAAF89,10.85.73.237,65.52.108.154,6,49453,443\nCompleted generation of 10 lines of traffic report.\n```\n\nFrom such output it's clear that the TCP connection (ip_proto=6) between IPs 10.85.73.237 and 202.122.145.141\non TCP ports 49789 and 443 (default HTTPs ports) is the connection which transported the highest number of \npackets (30.56%) and bytes (34.98%).\n\nNote that, even if pkt/byte counts do not matter, the traffic reports are also an handy way to\ncount and dump all connections found inside a PCAP file.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ff18m%2Flarge-pcap-analyzer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ff18m%2Flarge-pcap-analyzer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ff18m%2Flarge-pcap-analyzer/lists"}