Wireshark · Wireshark-users: [Wireshark-users] filtering in non-GUI mode

Wireshark-users: [Wireshark-users] filtering in non-GUI mode

From: Andrej van der Zee <andrejvanderzee@xxxxxxxxx>

Date: Fri, 17 Jul 2009 22:32:59 +0900

Hi,

I have huge capture files and I would like to filter them, without
loading the whole cap-file. The display filter does what I want
(wireshark -R ip.addr==1.2.3.4 dump.cap), but instead of buffering
everything into the GUI, I would like to output the filtered packages
to a new cap-file. The original cap-file is 1.3GB and Wireshark will
get passed its maximum allowed process-memory when it loads it.

Is there a way to filter in non-GUI mode?

Thank you,
Andrej

Follow-Ups:
- Re: [Wireshark-users] filtering in non-GUI mode
  - From: Sake Blok
- Re: [Wireshark-users] filtering in non-GUI mode
  - From: Hakim Apithy

Prev by Date: Re: [Wireshark-users] How to decode an encoded NAS message?
Next by Date: Re: [Wireshark-users] filtering in non-GUI mode
Previous by thread: Re: [Wireshark-users] How to decode an encoded NAS message?
Next by thread: Re: [Wireshark-users] filtering in non-GUI mode
Index(es):
- Date
- Thread