The best way to extract a large collection of network packets from a libpcap file is to use a tool like Tcptrace to identify sessions in a sample.lpc file. If we want to extract session e2f, representing an FTP control channel, we use the following Tcpdump syntax:. If you wanted to reconstruct the contents of the session of interest (like application), we could use Tcpflow to see only the packets you wanted and then save them without saving them.”]
Source: https://taosecurity.blogspot.com/2004/08/best-way-to-extract-pcap-session-from.html