Hello Steven, >>> <[EMAIL PROTECTED]> 10/26/06 2:49 AM >>> > Quoting Stephen Fisher <[EMAIL PROTECTED]>: > > Cheers, I had tried using 'tcp port 389' but in needing to do a 24hr > capture resulted in a lot of info. Even when splitting the data amongst > multiple files resulted in 10Mb x 260 files. Opening this many files > would be too much. I'm not sure of what the maximum file size WireShark > can handle in opening, may give 150Mb a go instead of 10Mb multiple file > sizes.
This is where the WireShark command line utilities (tshark, and mergecap specifically) really come in handy! You have a large set of (relatively large) capture files. You can use the "tshark" utility with your desired display filter (ldap.authentication == 0) to easily select out a subset of the frames from each of the orginal trace files and then write this data to a new (filtered) trace files. Using mergecap you can then combine the various filtered trace files into larger trace files for subsequent analysis within WireShark itself. Assuming you have cmd line environment that allows one to easily iterate (loop) across a set of files you could something like the following: # # In a sh/ksh/bash like environment the following (untested) # shell commands would do the following: # # 1) create a new folder called "filtered". # # 2) Execute tshark for each file found in the current directory # whose name begins with "myOriginalTraces" and ends with # "pcap". Tshark will use the display filter 'ldap.authentication == 0' # to select out a specific subset of frames from the current # trace file and write the filtered results to a new trace. The # new trace file will have the same name as the original trace # file but will be located in the "./filtered" folder. # mkdir filtered for i in myOriginalTraces*.pcap do tshark -r $i -R 'ldap.authentication == 0' -w ./filtered/$i done # # end of script. # In the worst case you can construct and execute a simple batch file that accomplishes the same thing... mkdir filtered tshark -r myOriginalTrace01.pcap -R 'ldap.authentication == 0' -w ./filtered/myOriginalTrace01.pcap tshark -r myOriginalTrace02.pcap -R 'ldap.authentication == 0' -w ./filtered/myOriginalTrace02.pcap tshark -r myOriginalTrace03.pcap -R 'ldap.authentication == 0' -w ./filtered/myOriginalTrace03.pcap [snip] Afterwards you can then use the mergecap utility to combine these newly generated (and filtered) trace files into convenient sized units. I hope this helps. Jim Young _______________________________________________ Wireshark-users mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-users
