Wireshark-users: Re: [Wireshark-users] How to cut big packet capture file to sevreal files
From: Boaz Galil <[email protected]>
Date: Sun, 16 Aug 2009 18:23:26 +0300


Thank you for the fast respond. I really appreciate it.

I do have a follow up question (sorry for being greedy). After dividing the 500MB packet capture I just realized that I have only 15minutes of traffic and I actually need a specific traffic from the packet capture.  Let’s say I want to filter only traffic that has destination UDP port of 9000. Is it possible to do something like this from command line? Or do I need to open the GUI for it? (I was actually able to open the packet capture after you showed me how to divide the files… but if its possible to divide the file using a specific network/wireshark filter it would be great).



On Sun, Aug 16, 2009 at 5:43 PM, <[email protected]> wrote:
Hi Boaz,

You can use editcap:
Use capinfos to see how many packets the 500MB file contains:
$ capinfos -eac test.pcap
File name: test.pcap
Number of packets: 293054
Start time: Thu Oct 02 10:38:49 2008
End time: Thu Oct 02 12:11:23 2008

Next use editcap to split the file:
editcap <option -c packets per file> infile outfile
$ editcap -c 60000 test.pcap split.pcap

This is the result:
$ capinfos -c split*
File name: split.pcap-00000
Number of packets: 60000

File name: split.pcap-00001
Number of packets: 60000

File name: split.pcap-00002
Number of packets: 60000

File name: split.pcap-00003
Number of packets: 60000

File name: split.pcap-00004
Number of packets: 53054

Hope this helps

On Sun, 16 Aug 2009 16:42:22 +0300 Boaz Galil wrote:
>I captured 500MB in one file.  I cant open this file on my PC (windows XP
>latest wireshark version 1.2.0). Is there any way to cut the file to sevreal
>equal  files (without opening the wireshark application) so I will be able
>to open the files?
>Thanks in advance,

Sent via:    Wireshark-users mailing list <[email protected]>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:[email protected]?subject=unsubscribe