I have a very large capture file from tcpdump, 16 Gb. Wireshark crashes trying to open it, a known issue.
For some of my investigation I used editcap and split it into smaller captures, and that worked okay, but there were 1000 of them and each is still slow to load/filter/etc; the size ranges from 14 to 28 Mb. I need to locate a small handful of packets within the large capture; there's some infrequent traffic I'm interested in. It's not feasible for me to open, apply display filter, close, each of the 1000 smaller files. I estimate it would take about 20 hours to do a brute force search. I've read the man pages on the tools that come with Wireshark. I was hoping to find a tool that opens a capture, applies a filter and outputs matching packets to a new file. Here's a sample run of the hypothetical filtercap tool: # filtercap -r very-large.eth -w only-infrequent.eth -f "tcp.port==50000" I can't quite seem to get this functionality from the tools provided. editcap is almost the right thing, except that instead of taking a general filter it is restricted to filtering on frame numbers or time. tshark is almost the right thing, except that tshark also tries to read in the whole capture first instead of processing it like editcap. Is there any way for me to achieve "filtercap" functionality? Not coincidentally the above example is exactly what I need to do, only the filenames and port numbers have been changed to protect the guilty. ..Stu _______________________________________________ Wireshark-users mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-users
