As James Fields mentioned, you can use editcap to build a new file containing only s certain set of frames (records). However, you CAN build filters in Ethereal as well:
Let's say you want to filter only a range of frames, i.e. 1 through 100,000. You could use this filter: "frame.number >=1 and frame.number <=100000".
If you want to filter based on timestamp, you can do it one of two ways. You could do it based on absolute time (i.e. frame.time > "Jun 18, 2003 14:00:00.0" and "frame.time <= "Jun 18, 2003 14:30:00.0", which will filter only records received between ~2pm and 2:30pm today), or based on relative time (i.e. frame.time >= 0 and frame.time < 30, which would filter only the first 30 seconds of traffic in a capture).
Ian
Ben Irving wrote:
Hi, Is anyone aware of a very detailed document on ethereal filtering. The user guide does not cover what I am hoping to do. I would like to pull out a number of frames based on frame number, (i.e) frames 1 to 100000 or frames x to y. It would also be nice to be able to do this based on time. Thanks.
-Ben
_______________________________________________ Ethereal-users mailing list [EMAIL PROTECTED] http://www.ethereal.com/mailman/listinfo/ethereal-users
