How to get random packets from a .pcap file?

Question

I am trying to get a random subset of packets from a .pcap file. To do so, I have written the following shell script:

large_number=150000
smaller_number=10000
selected_packet_numbers=$(shuf -i 0-"$large_number" -n "$smaller_number")
editcap -r capture.pcap capture-selected.pcap $selected_packet_numbers

However, editcap is giving me the following error:

Out of room for packet selections

Using a shell loop would take an unreasonably long time.

What can I do to select a random subset of packets from a .pcap file?

Answer 1

Currently, you will need to reduce smaller_number so its value is strictly less than 512. If you want more packet selections than that, you'll likely have to change the value of MAX_SELECTIONS in the editcap.c source code and compile it yourself.

Answer 2

As Christopher Maynard explained, you can only select a maximum of 512 packets at once with editcap. This thread on Wireshark mailing list has a bit more information.

If you don't want to change editcap's sources, you could select packets in batches. The following script generates 10000 random numbers and then select packets by batches of 512. The resulting .pcap files are merged into a single .pcap file at the end.

#!/bin/bash
large_number=150000
smaller_number=10000
selected_pkt_numbers=$(shuf -i 0-"$large_number" -n "$smaller_number")
for j in `seq 0 512 $smaller_number`; do
    endrange=$((j+512))
    if [ "$endrange" -gt "$smaller_number" ]; then
        endrange=$smaller_number
    fi
    # Selects numbers $j to $endrange from the generated random numbers:
    echo "$j - $endrange"
    pkt_numbers=$(echo $selected_pkt_numbers | awk -v start="$j" -v end="$endrange" '{ out=""; for (i=start+1; i<=end; i++) out=out" "$i; print out}')
    editcap -r $1 $2-$j.pcap $pkt_numbers
done
mergecap -w $2.pcap `ls $2-*.pcap`

To use it:

$ ./pcap-random.sh input-file.pcap output-file
0 - 512
512 - 1024
[...]
9216 - 9728
9728 - 10000
$
$
$ capinfos output-file.pcap 
File name:           output-file.pcap
File type:           Wireshark/... - pcapng
File encapsulation:  Ethernet
File timestamp precision:  microseconds (6)
Packet size limit:   file hdr: (not set)
Packet size limit:   inferred: 58 bytes
Number of packets:   10 k
[...]

That script will take more time to execute than if you modify editcap's sources. I haven't measured how much. With the parameters you gave it took ~11s to execute.