Wireshark · Ethereal-users: Re: [Ethereal-users] Filtering with EDITCAP

Ethereal-users: Re: [Ethereal-users] Filtering with EDITCAP

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>

Date: Tue, 17 Jan 2006 23:39:30 -0800

Ken Young wrote:

Can some provide me with an example where I can take a saved capture file
and run EDITCAP.EXE against it to strip out (exclude) certain protocols?

No, they can't, because editcap doesn't dissect packets, so it has noidea what protocols are in a packet, and thus cannot exclude certainprotocols when processing a capture file.

If you want to strip out certain protocols, you'd do that withtethereal, which *does* dissect packets.

Note, by the way, that a reassembled packet (i.e., one whose data iscontained in more than one lower-level packets) will be identified asbeing a packet with a given protocol only in the last of the lower-levelpackets, so the other packets wouldn't be stripped out in that case.

Ie. Remove CDP and STP packets via command line.


	tethereal -r {input file} -w {output file} -R "not cdp and not stp"

References:
- [Ethereal-users] Filtering with EDITCAP
  - From: Ken Young

Prev by Date: [Ethereal-users] 801.11 Captures
Next by Date: [Ethereal-users] FAQ(Ethereal)
Previous by thread: [Ethereal-users] Filtering with EDITCAP
Next by thread: [Ethereal-users] 801.11 Captures
Index(es):
- Date
- Thread