Ethereal-users: Re: [Ethereal-users] Tethereal filtering - file to file

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <guy@xxxxxxxxxx>
Date: Wed, 21 Nov 2001 10:50:58 -0800 (PST)
> I can use tethereal to read from one file, writing to the other.
> - What filters should I use, capture-filters or read-filters ?

Read filters.  Tethereal does *NOT* support using capture filters unless
it's doing a capture; it does not support them when it's just reading an
existing capture file.

> - The "-c" option works, but can I do something like "the last 100 packets
> of the file" ?

No.  Editcap doesn't make that easy, either; if you know that the file
has N packets, you could do

	editcap <input file> <output file> -r <N-99>-<N>

so that packets N-99 to N are written (NOTE: <N-99> means the number
whose value is N-99; you can't say "500000-99", for example), but if you
don't know that number, you're out of luck.

> - Can I do something like "all the packets between two time stamps in the
> file" ?

Yes, with a read filter on "frame.time", as noted in another message.