Quickly extract packets of interest from pcaps using classic BPF.
Using a Wireshark open filter or tshark to filter large pcap files can be slow and memory intensive (due to dissectors and display filters). This program was written to provide a simple fast alternative. Since it's pure Go (no dependency on libpcap etc), it is also standalone and portable.
Builtin filter parsing should work fine for most cases. But for exotic link layers or complex filters, you can always find a nearby machine with tcpdump installed, pre-compile your insane filter (-ddd and -y options) and use the decimal encoded cBPF 'machine' code as your filter.
Usage: pcap-filter -output <output.pcap> {-filter <bpf-filter> | -program <bpf-program-file>} <input.pcap[ng][.gz]> [<input2.pcap[ng][.gz]> ...]
Example: pcap-filter -output filtered.pcap -filter 'tcp port 443' capture.pcap next_capture.pcap
-debug
Enable debug output
-filter string
Classic Berkeley Packet Filter (cBPF tcpdump/libpcap capture filter) syntax (e.g., 'tcp port 80')
-microseconds
Write output pcap with microsecond timestamps (default is nanoseconds)
-output string
Output pcap file
-program string
Precompiled BPF program file. '-' for stdin (output of 'tcpdump -ddd ...')
-quiet
Suppress non-error output