ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-users: Re: [Wireshark-users] How to cut big packet capture file to sevreal files

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Boaz Galil <boaz20@xxxxxxxxx>
Date: Sun, 16 Aug 2009 18:23:26 +0300

WOW,

Thank you for the fast respond. I really appreciate it.

I do have a follow up question (sorry for being greedy). After dividing the 500MB packet capture I just realized that I have only 15minutes of traffic and I actually need a specific traffic from the packet capture.  Let’s say I want to filter only traffic that has destination UDP port of 9000. Is it possible to do something like this from command line? Or do I need to open the GUI for it? (I was actually able to open the packet capture after you showed me how to divide the files… but if its possible to divide the file using a specific network/wireshark filter it would be great).

 

 



On Sun, Aug 16, 2009 at 5:43 PM, <j.snelders@xxxxxxxxxx> wrote:
Hi Boaz,

You can use editcap:
http://www.wireshark.org/docs/man-pages/editcap.html

Use capinfos to see how many packets the 500MB file contains:
http://www.wireshark.org/docs/man-pages/capinfos.html

$ capinfos -eac test.pcap
File name: test.pcap
Number of packets: 293054
Start time: Thu Oct 02 10:38:49 2008
End time: Thu Oct 02 12:11:23 2008


Next use editcap to split the file:
editcap <option -c packets per file> infile outfile
$ editcap -c 60000 test.pcap split.pcap


This is the result:
$ capinfos -c split*
File name: split.pcap-00000
Number of packets: 60000

File name: split.pcap-00001
Number of packets: 60000

File name: split.pcap-00002
Number of packets: 60000

File name: split.pcap-00003
Number of packets: 60000

File name: split.pcap-00004
Number of packets: 53054

Hope this helps
Joan


On Sun, 16 Aug 2009 16:42:22 +0300 Boaz Galil wrote:
>
>I captured 500MB in one file.  I cant open this file on my PC (windows XP
>latest wireshark version 1.2.0). Is there any way to cut the file to sevreal
>equal  files (without opening the wireshark application) so I will be able
>to open the files?
>
>Thanks in advance,
>
>--
>Boaz.




___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe



--
Boaz.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube