This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Save packets from a filter into file

0

Hi All, I have captured packets over network for some time, I have a big file by now . Now I want to save all the packets to or from a IP into separate file,because I don't need remaining . I used (ip.addr eq XX.XX.XX.XX) filter but it taking so much time in filtering and analyzing. Any help in this would be appriciated. Thanks, Kris.

asked 19 Jan '11, 00:34

Kris's gravatar image

Kris
6113
accept rate: 0%

3 Answers:

1

This is what I would do:

  1. If your file is so large that tshark won't be able to read it completely I'd chop it into smaller pieces using editcap -c 100000 <infile> <chunkfile>, which gives you chunks of 100,000 frames each. Otherwise you do the tshark in step2 directly on your source file.
  2. write a batch that uses tshark on each chunk. The tshark commands would look something like this: tshark -r <chunkfile##> -R "ip.addr eq XX.XX.XX.XX" -w <filteredfile##>
  3. Use mergecap to merge all filtered files into one single file again: **mergecap -a <finalfile> <filteredfile01> <filteredfile02> <filteredfile03>...

You should end up with one file containing only the filtered IP. Hope it helps.

answered 19 Jan '11, 06:19

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thanks Jasper, you solved my issue.

(19 Jan '11, 20:39) Kris

2

You can also use tcpdump (or WinDump if you are using Windows). It is quicker as it does not do full dissection of each packet. This is was you would be using:

tcpdump -r <infile> -w <outfile> host x.x.x.x

answered 21 Jan '11, 12:51

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thanks SYNbit for the info, this is very helpful where I can filter out the packets while capturing itself.

(23 Jan '11, 20:39) Kris

If you run tcpdump on a network card instead of reading from file (leave out the "-r <infile>" part from Sake's answer) you should be doing just that. You might have to specify the network card if you've got multiple of them.

(25 Jan '11, 09:29) Jasper ♦♦

0

You have several options:

  • Script it, using tshark
  • Use a faster disk
  • Use more / faster memory
  • Use a faster CPU (in clock cycles, not cores)
  • Recompile Wireshark / Tshark without zlib

answered 19 Jan '11, 05:52

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%