Andrej van der Zee wrote on Sat, 18 Jul 2009 00:52:51 +0900
>> Maybe you will need to use the command-based tshark utility which comes
with Wireshark:
>> - tshark -r dump.cap -R "ip.addr == 1.2.3.4" -w new_file.cap
>> - Then "wireshark new_file.cap" would just be fine.
>>
>
>Thanks for the tip! I didn't know tshark.
>
>The problem is that tshark also get's huge until it reaches it's
>maximum process size (somewhere around 3GB for a 1.3GB cap-file). Why
>does it needs so much memory? Can't it handle package by package?
Wire/Tshark are too good! They are essentially the same program. They
maintain state about all packets. You don't need that, probably, but it
means a big enough file will cause either to run out of memory.
Use editcap to split the big file into lots of small ones, then filter
them with tshark, then use mergecap to combine the results. Those are all
command line tools, so you can automate the process.
editcap -c100000 dump.cap split_file.cap
That will generate files like:
split_file_00000_20090720200100,cap
split_file_00001_20090720210000.cap
and so on.
The 100000 is the size of each split file in frames. I find that small
enough so Wireshark is reasonably fast on my system. You could make it
bigger if you're only going to run tshark on them.
Julian.
