As Jaap mentioned editcap allows you to split up files by time or
packet number. However this may not be always useful if you are
looking for a particular set of packets that can be narrowed down by
protocol attributes.
In this case use tshark to filter out what you are interested in.
tshark streams through the input data and hence does not have the same
memory requirements as wireshark. Of course you need to know what to
filter for.
To use this you need to run it something like "tshark -n -r
infile.pcap -R 'whatever_display_filter_is_needed' -w outfile.pcap
So for instance to just see traffic associated with HTTP on TCP port
80 you might want something like "tshark -n -r infile.pcap -R 'http &&
tcp.port==80' -w outfile.pcap. Of for all TCP traffic between IP
address clients 10.0.0.1 and 10.0.0.2 and a server 10.0.0.100 you
might want "tshark --n -r infile.pcap -R '(ip.addr==10.0.0.1 ||
ip.addr==10.0.0.2) && ip.addr==10.0.0.100 && tcp' -w outfile.pcap
The output file can of course be read by wireshark. Note that the "-n"
flag is not absolutely necessary but it prevents the need to a large
amount of DNS lookups which is often not required.
Regards, Martin
MartinVisser99@xxxxxxxxx
On Thu, Apr 30, 2009 at 10:17 PM, Jaap Keuter <jaap.keuter@xxxxxxxxx> wrote:
> Hi,
>
> Use editcap to chop it up in more manageable pieces.
>
> Thanx,
> Jaap
>
> ram singh wrote:
>> hi all...
>> i have captured and saved a file using tcpdump.File size is 1.58GB. when
>> i am trying to open the file using wireshark the file gets loaded for
>> about 4per(%) ant then it is throwing an error as "OUT OF MEMORY
>> WIRESHARK SHOULD BE TERMINATED" can any one pl help me in opening this file
>>
>
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>
