Wireshark-users: [Wireshark-users] Betr: Re: edit a pcap capture to shorten file length?
Date: Mon, 19 May 2008 20:54:53 +0200
Hi,

There are different ways to save a selection of the 90MB file.

1: Mark 2 packets and save the selection
Let say, the number of packets in the 90MB file is 90.000.
Right-click on the 1th and 20.000th packet (Packet Summery Line) and choose
Mark Packet (toggle). 
File -> Save As -> Packet Range -> select First to last marked -> save

Unmark those packets and mark the 20.001th en 40.000th  packet etc.etc.

2: Use a display filter and save de selected packets.

3: Editcap
C:\Program Files\Wireshark\editcap
http://www.wireshark.org/docs/man-pages/editcap.html 

C:\Program Files\Wireshark>editcap -c <20000> <90MB.pcap> <SplitFile.pcap>
With the option -c you can define the maximum number of packets per file.

The result will be 5 output files, numbered from 00000 to 00004:
SplitFile.pcap-00000	20.000 packets
SplitFile.pcap-00001	20.000 packets
SplitFile.pcap-00002	20.000 packets
SplitFile.pcap-00003	20.000 packets
SplitFile.pcap-00004	10.000 packets

Grtz
Joan


>On 19 May 2008 Jake Peavy wrote:
>
>On 5/19/08, Stephen Fisher <stephentfisher@xxxxxxxxx> wrote:
>>
>> On Mon, May 19, 2008 at 09:15:08AM -0700, Tracy Dennis wrote:
>>
>> > I'm new to the application, so I apologize if this is a stupid
>> > question. I performed a capture that generated a 90 MB file, but I can
>> > only FTP a 20 MB file maximum to Cisco.  Is there a way to cut out or
>> > copy only a part of the capture to generate another PCAP file?
>>
>>
>> Check out the editcap command-line program that comes with Wiresdhark.
>> It lets you split your 90MB file into multiple files with 'x' number of
>> packets each.  ot the easiest solution, but if you play with it a bit
>> you should be able to trim down your files.
>
>
>or split,
>or gzip -9 may be enough,
>or an appropriate display filter and then save -> displayed packets only.
>
>
>-- 
>-jp
>
>Laurie got offended that I used the word "puke." But to me, that's what
her
>dinner tasted like.
>
>deepthoughtsbyjackhandy.com
>_______________________________________________
>Wireshark-users mailing list
>Wireshark-users@xxxxxxxxxxxxx
>http://www.wireshark.org/mailman/listinfo/wireshark-users