Wireshark

  • Riverbed Technology
  • WinPcap
the world's foremost network protocol analyzer
  • Wireshark
    • About
    • Download
    • Blog
  • Get Help
    • Ask a Question
    • FAQs
    • Documentation
    • Mailing Lists
    • Online Tools
    • Wiki
    • Bug Tracker
  • Develop
    • Get Involved
    • Developer's Guide
    • Browse the Code
    • Latest Builds

Wireshark-users: [Wireshark-users] run tshark without buffering

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next


From: Andrej van der Zee <andrejvanderzee@xxxxxxxxx>
Date: Thu, 6 Aug 2009 19:26:54 +0900

Hi,

I was wondering if there is a way to make tshark work packet by packet and skip the buffering. I just want to use a display filter on a huge cap-file without going out-of-memory. I know I can first cut in it pieces, but this is becoming a tedious job if you have to do it over and over again, even with scripting. Particularly this following command could be perfectly handled packet by packet, without the buffering (I guess):

tshark -R "ip.addr == 1.2.3.4" -r  huge.cap -w filtered-huge.cap

Or is there another tool that can filter on ip address on big files?

Thank you,
Andrej

  • Prev by Date: Re: [Wireshark-users] mergecap: another size limitation?
  • Next by Date: Re: [Wireshark-users] Lockup and Network Name Decoding
  • Previous by thread: [Wireshark-users] Cannot select "Decode As" for X.25 traffic
  • Next by thread: [Wireshark-users] How do I change the default capture filter?
  • Index(es):
    • Date
    • Thread

Wireshark and the "fin" logo are registered trademarks of the Wireshark Foundation