Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] filtering in non-GUI mode

From: "Sake Blok" <sake@xxxxxxxxxx>
Date: Fri, 17 Jul 2009 15:54:49 +0200
Andrej,

You can use tshark for this purpose:

tshark -r in.cap -w out.cap -R ip.addr==1.2.3.4

HTH,
Cheers,
    Sake

----- Original Message ----- From: "Andrej van der Zee" <andrejvanderzee@xxxxxxxxx>
To: <wireshark-users@xxxxxxxxxxxxx>
Sent: Friday, July 17, 2009 3:32 PM
Subject: [Wireshark-users] filtering in non-GUI mode


Hi,

I have huge capture files and I would like to filter them, without
loading the whole cap-file. The display filter does what I want
(wireshark -R ip.addr==1.2.3.4 dump.cap), but instead of buffering
everything into the GUI, I would like to output the filtered packages
to a new cap-file. The original cap-file is 1.3GB and Wireshark will
get passed its maximum allowed process-memory when it loads it.

Is there a way to filter in non-GUI mode?

Thank you,
Andrej
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe