Wireshark

  • Riverbed Technology
  • WinPcap
the world's foremost network protocol analyzer
  • Wireshark
    • About
    • Download
    • Blog
  • Get Help
    • Ask a Question
    • FAQs
    • Documentation
    • Mailing Lists
    • Online Tools
    • Wiki
    • Bug Tracker
  • Develop
    • Get Involved
    • Developer's Guide
    • Browse the Code
    • Latest Builds

Wireshark-users: Re: [Wireshark-users] Large files

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next


From: Ujjval Karihaloo <ujjval@xxxxxxxxxxxxxxxx>
Date: Fri, 8 May 2009 11:11:55 -0700

Awesome Thank you!



-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of j.snelders@xxxxxxxxxx
Sent: Friday, May 08, 2009 12:09 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Large files

Hi Ujjval,

You can use editcap to split the file:
http://www.wireshark.org/docs/man-pages/editcap.html

First you can use capinfos to display statistics of the capture file:
http://www.wireshark.org/docs/man-pages/capinfos.html

capinfos -c displays the number of packets in the capture file:
$ capinfos -c test.cap
File name: test.cap
Number of packets: 511145

Next you can use editcap with the option -c to set the maximum number of
packets per output file.
In this example 100.000 packets per file. Each output file will be created
with a suffix, starting with -00000.
editcap -c <packets per file> <inputfile> <outputfile>
$ editcap -c 100000 test.cap split.cap

The following command displays the names of the created capture files and
the number of packets in each file. 
$ capinfos -c split.cap*
File name: split.cap-00000
Number of packets: 100000

File name: split.cap-00001
Number of packets: 100000

File name: split.cap-00002
Number of packets: 100000

File name: split.cap-00003
Number of packets: 100000

File name: split.cap-00004
Number of packets: 100000

File name: split.cap-00005
Number of packets: 11145


Hope this helps.
Joan



>From: Ujjval Karihaloo <ujjval@xxxxxxxxxxxxxxxx>
On Fri, 8 May 2009 09:49:23 -0700 Ujjval Karihaloo wrote:
>
>Can we split up large PCAP (about 1 Gig)  files so Windows can open then
>and not run out of memory.


       


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
  • References:
    • [Wireshark-users] Large files
      • From: Ujjval Karihaloo
    • Re: [Wireshark-users] Large files
      • From: j . snelders
  • Prev by Date: Re: [Wireshark-users] Large files
  • Next by Date: [Wireshark-users] Partly functional ?
  • Previous by thread: Re: [Wireshark-users] Large files
  • Next by thread: [Wireshark-users] Received Signal Strenth - Radiotap - mac80211
  • Index(es):
    • Date
    • Thread

Wireshark and the "fin" logo are registered trademarks of the Wireshark Foundation