Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] How to filter out last 1000 frames in a quick way

From: Hansang Bae <hbae@xxxxxxxxxx>
Date: Mon, 07 Jul 2008 15:28:04 -0400
Abhik Sarkar wrote:
Or, if you are in a *nix environment (or have Cygwin on Windows), with
a bit of scripting, you can do the following:
use capinfos to get the number of packets in the file:
$ capinfos -c test.cap
File name: test.cap
Number of packets: 8802

Then use something like:
$ editcap -r test.cap extract.cap 7803-8802

Then, extract.cap will have the last 1000 packets!

This method is longer than what Hansang suggested, but will result in
exactly one file which is of interest to you ;-)


Very true! And you never know, the "final" file could have just 800 packets it in, so this is a better approach.


--

Thanks,
Hansang