Wireshark-users: Re: [Wireshark-users] How to filter out last 1000 frames in a quick way

From: "Abhik Sarkar" <sarkar.abhik@xxxxxxxxx>
Date: Mon, 7 Jul 2008 16:36:56 +0400

Or, if you are in a *nix environment (or have Cygwin on Windows), with
a bit of scripting, you can do the following:
use capinfos to get the number of packets in the file:
$ capinfos -c test.cap
File name: test.cap
Number of packets: 8802

Then use something like:
$ editcap -r test.cap extract.cap 7803-8802

Then, extract.cap will have the last 1000 packets!

This method is longer than what Hansang suggested, but will result in
exactly one file which is of interest to you ;-)

HTH
Abhik.

On Sun, Jul 6, 2008 at 7:11 AM, Hansang Bae <hbae@xxxxxxxxxx> wrote:
> Bin Zhou wrote:
>> Sometime, I capture a big size of file, but I may need to do voip calls
>> analysis for a snapshot. For example, it is good enough for me to see
>> flows of last one thousand packets.
>> If there is a quick way to filter out last 1000 frames without going to
>> the frame or packet detail level, it will be very helpful.
>> Thanks for your help in advance.
>
> The only thing you could try would be to use "editcap -c xxx" to specify
> how many packets you want per trace file (where xxx = how many packets
> you want)
>
> Or you could try -A option to specify when you want to start seeing the
> "interesting" packets.
>
> --
>
> Thanks,
> Hansang
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-users
>