Wireshark

  • Riverbed Technology
  • WinPcap
the world's foremost network protocol analyzer
  • Wireshark
    • About
    • Download
    • Blog
  • Get Help
    • Ask a Question
    • FAQs
    • Documentation
    • Mailing Lists
    • Online Tools
    • Wiki
    • Bug Tracker
  • Develop
    • Get Involved
    • Developer's Guide
    • Browse the Code
    • Latest Builds

Wireshark-users: Re: [Wireshark-users] How to filter out last 1000 frames in a quick way

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next


From: Hansang Bae <hbae@xxxxxxxxxx>
Date: Mon, 07 Jul 2008 15:28:04 -0400

Abhik Sarkar wrote:

Or, if you are in a *nix environment (or have Cygwin on Windows), with
a bit of scripting, you can do the following:
use capinfos to get the number of packets in the file:
$ capinfos -c test.cap
File name: test.cap
Number of packets: 8802

Then use something like:
$ editcap -r test.cap extract.cap 7803-8802

Then, extract.cap will have the last 1000 packets!

This method is longer than what Hansang suggested, but will result in
exactly one file which is of interest to you ;-)
Very true! And you never know, the "final" file could have just 800 packets it in, so this is a better approach. 


--

Thanks,
Hansang
  • References:
    • Re: [Wireshark-users] How to filter out last 1000 frames in a quick way
      • From: Hansang Bae
    • Re: [Wireshark-users] How to filter out last 1000 frames in a quick way
      • From: Abhik Sarkar
  • Prev by Date: Re: [Wireshark-users] add random packet lost
  • Next by Date: Re: [Wireshark-users] how to print time with epoch formation by tshark
  • Previous by thread: Re: [Wireshark-users] How to filter out last 1000 frames in a quick way
  • Next by thread: Re: [Wireshark-users] BPDU packets
  • Index(es):
    • Date
    • Thread

Wireshark and the "fin" logo are registered trademarks of the Wireshark Foundation