Wireshark · Wireshark-users: Re: [Wireshark-users] How to cut big packet capture file to sevreal files

Wireshark-users: Re: [Wireshark-users] How to cut big packet capture file to sevreal files

Date: Sun, 16 Aug 2009 16:43:07 +0200

Hi Boaz,

You can use editcap:
http://www.wireshark.org/docs/man-pages/editcap.html

Use capinfos to see how many packets the 500MB file contains:
http://www.wireshark.org/docs/man-pages/capinfos.html

$ capinfos -eac test.pcap
File name: test.pcap
Number of packets: 293054
Start time: Thu Oct 02 10:38:49 2008
End time: Thu Oct 02 12:11:23 2008


Next use editcap to split the file:
editcap <option -c packets per file> infile outfile
$ editcap -c 60000 test.pcap split.pcap


This is the result:
$ capinfos -c split*
File name: split.pcap-00000
Number of packets: 60000

File name: split.pcap-00001
Number of packets: 60000

File name: split.pcap-00002
Number of packets: 60000

File name: split.pcap-00003
Number of packets: 60000

File name: split.pcap-00004
Number of packets: 53054

Hope this helps
Joan


On Sun, 16 Aug 2009 16:42:22 +0300 Boaz Galil wrote:
>
>I captured 500MB in one file.  I cant open this file on my PC (windows XP
>latest wireshark version 1.2.0). Is there any way to cut the file to sevreal
>equal  files (without opening the wireshark application) so I will be able
>to open the files?
>
>Thanks in advance,
>
>-- 
>Boaz.

Follow-Ups:
- Re: [Wireshark-users] How to cut big packet capture file to sevreal files
  - From: Boaz Galil

References:
- [Wireshark-users] How to cut big packet capture file to sevreal files
  - From: Boaz Galil

Prev by Date: Re: [Wireshark-users] How to cut big packet capture file to sevrealfiles
Next by Date: Re: [Wireshark-users] How to cut big packet capture file to sevreal files
Previous by thread: Re: [Wireshark-users] How to cut big packet capture file to sevrealfiles
Next by thread: Re: [Wireshark-users] How to cut big packet capture file to sevreal files
Index(es):
- Date
- Thread