Wireshark-users: Re: [Wireshark-users] Filtering a very large capture file
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 25 Jan 2007 21:15:21 -0800

On Jan 25, 2007, at 8:23 PM, Stuart MacDonald wrote:

I've read the man pages on the tools that come with Wireshark. I was
hoping to find a tool that opens a capture, applies a filter and
outputs matching packets to a new file. Here's a sample run of the
hypothetical filtercap tool:
# filtercap -r very-large.eth -w only-infrequent.eth -f "tcp.port==50000"

	tcpdump -r very-large.eth -w only-infrequent.eth tcp port 50000

That can't do arbitrary display filtering, but truly *arbitrary* display filtering has problems with reassembly (i.e., a filter that matches something in the reassembled portion of the packet can't match anything but the last packet). It also can't handle non-libpcap capture files, but given that your capture file is *from* tcpdump, it's obviously readable by tcpdump....


tshark is almost the right thing, except that tshark also tries to
read in the whole capture first instead of processing it like editcap.

No, actually, it *does* process it like editcap; neither it nor Wireshark read the entire capture file into memory. They *do* keep reassembled data in memory, but that's another matter.