I would direct you to : http://mailman.icsi.berkeley.edu/pipermail/bro/2018-January/012804.html I use a pipeline based on pcapdj + pcapsplitter from the PcapPlusPlus toolkit (both on github). Previously I used tcpsplit (also on github) but found pcapsplitter to have better performance and better treatment of non tcp flows.