Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Using Editcap to extract UNISTIM VoIP Call

From: "Luis EG Ontanon" <luis@xxxxxxxxxxx>
Date: Wed, 30 Jan 2008 17:28:27 +0100
Editcap does not know anything about what is in the frame, it is only
aware of the frame "metadata" (i.e. date, length, link type).

For editcap frame data is just that: uninterpretable data.

tshark can do that:

$ tshark -r in_file.cap -o out_file.cap "ip.addr == 1.2.3.4 &&
udp.port > 3000 && udp.port < 3200"
will save an out_file that contains only the packets matching the
display filter (the one between "")


On Jan 30, 2008 5:19 PM, J P <jrp999@xxxxxxxxx> wrote:
> Hi,
>
> Is  it be possible to do the following using EDITCAP:
>
> Select packets based on:
> -Select IP Address and Source Port
> -Select IP Address and Destination Port
> -As well as Start and End time of packets
>
> Across Multiple Input Capture Files.
>
> The capture files are 250 Mb in size and is very time consuming to load and
> analyze.
>
> What I need to do is to be able to extract out a specific VoIP call using
> UNISTIM that spans multiple capture files based on IP Address and Source
> and/or Destination Port and possible a within a specific time frame.
>
> This extracted call would then be copied off for further analysis.
>
> If you have any questions or require further information please let me know.
>
> Thanx,
>
> John
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
>
>



-- 
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan