Hi Ujjval,
You can use editcap to split the file:
http://www.wireshark.org/docs/man-pages/editcap.html
First you can use capinfos to display statistics of the capture file:
http://www.wireshark.org/docs/man-pages/capinfos.html
capinfos -c displays the number of packets in the capture file:
$ capinfos -c test.cap
File name: test.cap
Number of packets: 511145
Next you can use editcap with the option -c to set the maximum number of
packets per output file.
In this example 100.000 packets per file. Each output file will be created
with a suffix, starting with -00000.
editcap -c <packets per file> <inputfile> <outputfile>
$ editcap -c 100000 test.cap split.cap
The following command displays the names of the created capture files and
the number of packets in each file.
$ capinfos -c split.cap*
File name: split.cap-00000
Number of packets: 100000
File name: split.cap-00001
Number of packets: 100000
File name: split.cap-00002
Number of packets: 100000
File name: split.cap-00003
Number of packets: 100000
File name: split.cap-00004
Number of packets: 100000
File name: split.cap-00005
Number of packets: 11145
Hope this helps.
Joan
>From: Ujjval Karihaloo <ujjval@xxxxxxxxxxxxxxxx>
On Fri, 8 May 2009 09:49:23 -0700 Ujjval Karihaloo wrote:
>
>Can we split up large PCAP (about 1 Gig) files so Windows can open then
>and not run out of memory.
