Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Betr: Re: edit a pcap capture to shorten filelength?

From: "Tracy Dennis" <TracyDennis@xxxxxxxxxxxxxxxxx>
Date: Mon, 19 May 2008 13:43:19 -0700
Option 1 worked beautifully - thanks everyone for the ideas! - and
thanks to Joan for the solution!

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of
j.snelders@xxxxxxxxxx
Sent: Monday, May 19, 2008 11:55 AM
To: Community support list for Wireshark
Subject: [Wireshark-users] Betr: Re: edit a pcap capture to shorten
filelength?

Hi,

There are different ways to save a selection of the 90MB file.

1: Mark 2 packets and save the selection
Let say, the number of packets in the 90MB file is 90.000.
Right-click on the 1th and 20.000th packet (Packet Summery Line) and
choose
Mark Packet (toggle). 
File -> Save As -> Packet Range -> select First to last marked -> save

Unmark those packets and mark the 20.001th en 40.000th  packet etc.etc.

2: Use a display filter and save de selected packets.

3: Editcap
C:\Program Files\Wireshark\editcap
http://www.wireshark.org/docs/man-pages/editcap.html 

C:\Program Files\Wireshark>editcap -c <20000> <90MB.pcap>
<SplitFile.pcap>
With the option -c you can define the maximum number of packets per
file.

The result will be 5 output files, numbered from 00000 to 00004:
SplitFile.pcap-00000	20.000 packets
SplitFile.pcap-00001	20.000 packets
SplitFile.pcap-00002	20.000 packets
SplitFile.pcap-00003	20.000 packets
SplitFile.pcap-00004	10.000 packets

Grtz
Joan


>On 19 May 2008 Jake Peavy wrote:
>
>On 5/19/08, Stephen Fisher <stephentfisher@xxxxxxxxx> wrote:
>>
>> On Mon, May 19, 2008 at 09:15:08AM -0700, Tracy Dennis wrote:
>>
>> > I'm new to the application, so I apologize if this is a stupid
>> > question. I performed a capture that generated a 90 MB file, but I
can
>> > only FTP a 20 MB file maximum to Cisco.  Is there a way to cut out
or
>> > copy only a part of the capture to generate another PCAP file?
>>
>>
>> Check out the editcap command-line program that comes with
Wiresdhark.
>> It lets you split your 90MB file into multiple files with 'x' number
of
>> packets each.  ot the easiest solution, but if you play with it a bit
>> you should be able to trim down your files.
>
>
>or split,
>or gzip -9 may be enough,
>or an appropriate display filter and then save -> displayed packets
only.
>
>
>-- 
>-jp
>
>Laurie got offended that I used the word "puke." But to me, that's what
her
>dinner tasted like.
>
>deepthoughtsbyjackhandy.com
>_______________________________________________
>Wireshark-users mailing list
>Wireshark-users@xxxxxxxxxxxxx
>http://www.wireshark.org/mailman/listinfo/wireshark-users


       


_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users


DISCLAIMER:
CONFIDENTIALITY NOTICE:  This email may contain confidential and privileged material for the sole use of the intended recipient(s).  Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by email and delete the message and any file attachments from your computer.  Thank you.