Wireshark · Wireshark-users: [Wireshark-users] run tshark without buffering

Wireshark-users: [Wireshark-users] run tshark without buffering

From: Andrej van der Zee <andrejvanderzee@xxxxxxxxx>

Date: Thu, 6 Aug 2009 19:26:54 +0900

Hi,

I was wondering if there is a way to make tshark work packet by packet and skip the buffering. I just want to use a display filter on a huge cap-file without going out-of-memory. I know I can first cut in it pieces, but this is becoming a tedious job if you have to do it over and over again, even with scripting. Particularly this following command could be perfectly handled packet by packet, without the buffering (I guess):

tshark -R "ip.addr == 1.2.3.4" -r huge.cap -w filtered-huge.cap

Or is there another tool that can filter on ip address on big files?

Thank you,
Andrej

Prev by Date: Re: [Wireshark-users] mergecap: another size limitation?
Next by Date: Re: [Wireshark-users] Lockup and Network Name Decoding
Previous by thread: [Wireshark-users] Cannot select "Decode As" for X.25 traffic
Next by thread: [Wireshark-users] How do I change the default capture filter?
Index(es):
- Date
- Thread