Wireshark-users: Re: [Wireshark-users] How to cut big packet capture file to sevreal files
Date: Sun, 16 Aug 2009 16:43:07 +0200
Hi Boaz,

You can use editcap:

Use capinfos to see how many packets the 500MB file contains:

$ capinfos -eac test.pcap
File name: test.pcap
Number of packets: 293054
Start time: Thu Oct 02 10:38:49 2008
End time: Thu Oct 02 12:11:23 2008

Next use editcap to split the file:
editcap <option -c packets per file> infile outfile
$ editcap -c 60000 test.pcap split.pcap

This is the result:
$ capinfos -c split*
File name: split.pcap-00000
Number of packets: 60000

File name: split.pcap-00001
Number of packets: 60000

File name: split.pcap-00002
Number of packets: 60000

File name: split.pcap-00003
Number of packets: 60000

File name: split.pcap-00004
Number of packets: 53054

Hope this helps

On Sun, 16 Aug 2009 16:42:22 +0300 Boaz Galil wrote:
>I captured 500MB in one file.  I cant open this file on my PC (windows XP
>latest wireshark version 1.2.0). Is there any way to cut the file to sevreal
>equal  files (without opening the wireshark application) so I will be able
>to open the files?
>Thanks in advance,