I wrote a post about splitting large pcap file into small ones before. After that, you should add timestamp for pcap‘s file name, and it will be easy for you to find related pcap files to process.
Assume there is a folder which includes all pcap files generated by following tcpdump command:
tcpdump -r input.pcap -w ./pcap/frag -C 1000
It will generate ./pcap/frag, ./pcap/frag1, …, etc. You can use following script to add timestamp for every file:
#!/bin/sh
directory=./pcap
cd "$directory" || exit 1
for old_file_name in *
do
timestamp=$(tshark -nr "${old_file_name}" -T fields -e frame.time_epoch -c 1)
new_file_name="${old_file_name}.${timestamp}.pcap"
mv "${old_file_name}" "${new_file_name}"
done
The file’s name will be fragxx.1542222065.974954000.pcap now.
P.S., the script can be downloaded here.