Wireshark-users: Re: [Wireshark-users] Filtering a very large capture file
From: "Stuart MacDonald" <stuartm@xxxxxxxxxxxxxxx>
Date: Fri, 26 Jan 2007 10:28:13 -0500
From: On Behalf Of Jeff Morriss
> What about:
> 
> - split the files into 1000 smaller files
> - use a (decent) shell with tshark to process those files with tshark
> 
> The latter could be achieved in a Korn style shell with 
> something like:
> 
> (for f in *.eth
> do
>      tshark -r $f -w - -R "tcp.port=50000"
> done) > only-infrequent.eth
> 
> That would work on Unix though I'm not sure about Windoze 
> (IIRC in the 
> past there have been issues with reading/writing stdin/stdout 
> on that OS 
> though maybe they're all fixed).

I did consider a shell script. My point in posting was two-fold: to
find out if I'd missed the blindly obvious, and to point out that this
either needs to exist or needs better documentation depending on the
result of the first point. I feel this functionality is intuitive,
expected of the toolset, and violates least-surpise that it doesn't
exist. I shouldn't have to rely on a shell script. In fact, if editcap
was expanded to handle the general -R/-f flags of the other tools,
this functionality would exist.

Thanks for the suggestion though, this is likely what I'll end up
doing.

I don't think the documentation mentions '-' is supported for -w.

..Stu