Wireshark-users: Re: [Wireshark-users] How to cut big packet capture file to sevreal files
Date: Sun, 16 Aug 2009 18:37:49 +0200
Hi Boaz,

You're welcome:)

You can use a display filter:
-R udp.dstport=9000
-R udp.srcport=9000
-R udp.port=9000 (source or destination port=9000)

tshark -r <infile> -R <display filter> -w <outfile>
$ tshark -r test.pcap -R udp.dstport=9000 -w udp.dstport9000.pcap

You can use all kinds of display filters.
Please take a look at the Display Filter Reference:
http://www.wireshark.org/docs/dfref/

You can also use editcap to split the file in chunks of X secondes:
editcap -i <secondes per file> <infile> <outfile>
editcap -i 300 test.pcap test_5minutes.pcap

Hope this helps
Joan

On Sun, 16 Aug 2009 18:23:26 +0300 Boaz Galil wrote:

>WOW,
>
>Thank you for the fast respond. I really appreciate it.
>
>I do have a follow up question (sorry for being greedy). After dividing
the
>500MB packet capture I just realized that I have only 15minutes of traffic
>and I actually need a specific traffic from the packet capture.  Let?s say
>I
>want to filter only traffic that has destination UDP port of 9000. Is it
>possible to do something like this from command line? Or do I need to open
>the GUI for it? (I was actually able to open the packet capture after you
>showed me how to divide the files? but if its possible to divide the file
>using a specific network/wireshark filter it would be great).
>
>
>
>
>
>
>On Sun, Aug 16, 2009 at 5:43 PM, <j.snelders@xxxxxxxxxx> wrote:
>
>> Hi Boaz,
>>
>> You can use editcap:
>> http://www.wireshark.org/docs/man-pages/editcap.html
>>
>> Use capinfos to see how many packets the 500MB file contains:
>> http://www.wireshark.org/docs/man-pages/capinfos.html
>>
>> $ capinfos -eac test.pcap
>> File name: test.pcap
>> Number of packets: 293054
>> Start time: Thu Oct 02 10:38:49 2008
>> End time: Thu Oct 02 12:11:23 2008
>>
>>
>> Next use editcap to split the file:
>> editcap <option -c packets per file> infile outfile
>> $ editcap -c 60000 test.pcap split.pcap
>>
>>
>> This is the result:
>> $ capinfos -c split*
>> File name: split.pcap-00000
>> Number of packets: 60000
>>
>> File name: split.pcap-00001
>> Number of packets: 60000
>>
>> File name: split.pcap-00002
>> Number of packets: 60000
>>
>> File name: split.pcap-00003
>> Number of packets: 60000
>>
>> File name: split.pcap-00004
>> Number of packets: 53054
>>
>> Hope this helps
>> Joan
>>
>>
>> On Sun, 16 Aug 2009 16:42:22 +0300 Boaz Galil wrote:
>> >
>> >I captured 500MB in one file.  I cant open this file on my PC (windows
>XP
>> >latest wireshark version 1.2.0). Is there any way to cut the file to
>> sevreal
>> >equal  files (without opening the wireshark application) so I will be
>able
>> >to open the files?
>> >
>> >Thanks in advance,
>> >
>> >--
>> >Boaz.