Wireshark-users: Re: [Wireshark-users] minumum snapshot length IP packets

From: Sake Blok <sake@xxxxxxxxxx>
Date: Thu, 6 Aug 2009 06:49:22 +0200

On Thu, Aug 06, 2009 at 09:16:49AM +0900, Andrej van der Zee wrote:
> 
>    I have huge cap files that I want to reduce in size. In the end I only
>    need the timestamp, protocol, packet length, src IP and dst IP. What is
>    the minimum snapshot length I should use?

That depends, do you have vlan tags in the traffic? Is the IP header in
your trace always 20 bytes? If the answers are no and yes, then you
would have to use "14 (ethernet) + 20 (IP) = 34 octets". Add 4 if 802.1q
vlan tags are present. You could use 

"tshark -r file.cap -T fields -e ip.hdr_len | sort -rn | head -1"

to determine the largest ip header length in your file.

>    Also, how can I get the snapshot length form an existing cap-file?

The libpcap format allows for a packet-by-packet snapshot-length, but
mostly there is one snapshot length per file, this can be determined by
using:

"tshark -r file.cap -T fields -e frame.cap_len | sort -rn | head -1"

Or when a large file is involved, try something like this:

"tshark -r file.cap -T fields -e frame.cap_len -R frame.len > 1400 -c1"

(assuming the snapshot-length is less then 1401)

Cheers,
    Sake