On Jan 25, 2007, at 8:23 PM, Stuart MacDonald wrote:
> I've read the man pages on the tools that come with Wireshark. I was
> hoping to find a tool that opens a capture, applies a filter and
> outputs matching packets to a new file. Here's a sample run of the
> hypothetical filtercap tool:
> # filtercap -r very-large.eth -w only-infrequent.eth -f
> "tcp.port==50000"
tcpdump -r very-large.eth -w only-infrequent.eth tcp port 50000
That can't do arbitrary display filtering, but truly *arbitrary*
display filtering has problems with reassembly (i.e., a filter that
matches something in the reassembled portion of the packet can't match
anything but the last packet). It also can't handle non-libpcap
capture files, but given that your capture file is *from* tcpdump,
it's obviously readable by tcpdump....
> tshark is almost the right thing, except that tshark also tries to
> read in the whole capture first instead of processing it like editcap.
No, actually, it *does* process it like editcap; neither it nor
Wireshark read the entire capture file into memory. They *do* keep
reassembled data in memory, but that's another matter.
_______________________________________________
Wireshark-users mailing list
[email protected]
http://www.wireshark.org/mailman/listinfo/wireshark-users
