Hey,
I am trying to learn network forensics and want to use zeek. In my course we have hundreds of PCAPs. They do have connections spanning over multiple PCAPs. Is there an easy way to let zeek “combine” those by itself?
I tried mergecap but the PCAP got way to large for my system.
Are there any best pratices or so? How would you approach such a challenge?
Thanks in advance. I hope this is the right place and I haven’t missed another topic.
Imho, the proper way would be to add(/extended the existing) PCAP packet source so that you can point it to a directory and read files form that directory. I do have a code snippet that does exactly this. Let me see if I can move it into a packet source.
Using mergecap, you could also output the result to stdout and feed it directly to zeek -r -
$ mergecap -w - ./pcaps/*.pcap | zeek -C -r -
As long as mergecap doesn’t create temporary files, this might just do the trick.
EDIT: Doesn’t look like it creates any temporary files.