Wireshark-users: Re: [Wireshark-users] filtering in non-GUI mode
From: Hakim Apithy <hapithy@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 17 Jul 2009 10:00:51 -0400
Hello :

Maybe you will need to use the command-based tshark utility which comes with Wireshark:
- tshark -r dump.cap -R "ip.addr == 1.2.3.4" -w new_file.cap
- Then "wireshark new_file.cap" would just be fine.

Hopefully it helps.

Regards,

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Andrej van der Zee
Sent: Friday, July 17, 2009 9:33 AM
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] filtering in non-GUI mode

Hi,

I have huge capture files and I would like to filter them, without
loading the whole cap-file. The display filter does what I want
(wireshark -R ip.addr==1.2.3.4 dump.cap), but instead of buffering
everything into the GUI, I would like to output the filtered packages
to a new cap-file. The original cap-file is 1.3GB and Wireshark will
get passed its maximum allowed process-memory when it loads it.

Is there a way to filter in non-GUI mode?

Thank you,
Andrej
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe