On Mon, Apr 14, 2008 at 09:26:59PM -0700, Trevor Bosaw wrote:
> Hey,
>
> I have been examining data from a group that saves their packet data
> in a dump file. Wireshark recognizes these dump files, but they are
> too large, and it crashes before it can finish reading in the entire
> file. I have been able to split the files using the Unix command
> 'split', but since this command obviously cannot read the dump format,
> it splits the file in the middle of a packet.
Since the pcap file has a "file-header" and a per-packet "packet-header"
you can't just split it, because the last packet of the first file
will be split in the middle of a packet. But more importantly, the
second file will have no "file-header".
Use "editcap" instead, it is distributed with Wireshark, see:
http://www.wireshark.org/docs/man-pages/editcap.html
> Does anyone know what the wireshark dump file format is, and if so, if
> it's possible that I can manually open the second and on portions of
> the dump file, delete the second part of the packet, and load the rest
> into wireshark?
The file format Wireshark uses is the "libpcap" format, see:
http://wiki.wireshark.org/Development/LibpcapFileFormat
Hope this helps,
Cheers,
Sake
