Kurt Buff <kurt.buff@...> writes:
> I'm trying to troubleshoot slow web page loading at $WORK, and have
> three captures taken simultaneously - 1 wireshark capture at the test
> XP workstation, and two tcpdumps at the firewall (one for each NIC,
> inside and outside).
> I'd really like to slim down the two large cap file, and then merge
> them all three of them, but editcap seems only to work on packet
> numbers, not actual packet content.
Don't use editcap for that; use tshark or wireshark filtering to focus on only
what you need. You can filter on any combination of protocols, IP addresses,
etc. to trim down the files to only the relevant packets. Of course you might
want to use editcap to adjust the timestamps of the files so that the packets
appear in correct chronological order if you merge them or even if you don't
merge them. Check the user's guide and/or Wireshark wiki and/or man pages for
help with display filters, editing timestamps, etc.
