Capture splitter (new title)

Create a streams/ subfolder, the script does not create that folder for you and it will not work without it.

Tip

Use this command if you create too many files (Linux/Mac) in streams folder:

ls | xargs -n 100 rm

Tip

Raise your ulimit if your capture is really large:

ulimit -n 10000

Script:

-- Register the field we want Wireshark to tell us about, here we just want the TCP stream ID
local tcp_stream = Field.new("tcp.stream")

-- Create a new "Listener" and the display filter "tcp", since we want to split tcp streams out of the capture file.
local tap = Listener.new(nil,"tcp")

-- Create an array to store all of our file descriptors
local dumpers = {}

-- It might be prudent to raise your max file descriptor in an Unix system
-- ulimit -n 10000
-- https://superuser.com/questions/302754/increase-the-maximum-number-of-open-file-descriptors-in-snow-leopard

-- Create a write packet function, which will take a stream id, and create a corresponding file under a subfolder streams/
-- You will need to create that folder before you run the script
local function write_pkt(id)
        local file = dumpers[id]
        if not file then
                -- Dumper.new is a function of LUA for Wireshark, it will create a capture file for us
                file = Dumper.new("streams/" .. id .. ".cap")

                -- There is a little complexity here, but essentially what we are working around is a problem when you run out of file descriptors
                -- So we flush all open file descriptors, and start anew.
                if (file == nil) then
                        for file,dumper in pairs(dumpers) do
                                dumper:flush()
                                dumper:close()
                        end
                        dumpers = {}
                        file = assert(Dumper.new("streams/" .. id .. ".cap"))
                end
                dumpers[id] = file
        end

        -- Simply dump the current packet to our file
        file:dump_current()
end

-- tap.packet is a function called by Wireshark for every packet matching our listener
function tap.packet(pinfo,tvb,tapdata)
        write_pkt(tostring(tcp_stream()))
end

-- a listener tap's draw function is called every few seconds in the GUI
-- and at end of file (once) in TShark
function tap.draw()
        print("file processed, closing all dumpers")
        for file,dumper in pairs(dumpers) do
                dumper:flush()
                dumper:close()
        end
        dumpers = {}
end

-- a listener tap's reset function is called at the end of a live capture run,
-- when a file is opened, or closed.  TShark never appears to call it.
function tap.reset()
end

Exercise 1

Create your own capture file and extract all traffic that is not TCP.

Exercise 2

Only split traffic where the destination is TCP port 80