I have a 200GB pcap file which I need to decode as FAST. As wireshark cannot open that huge file, I have to split the file into smaller files and decode each file and it has to be done using a script because I will end up with around 1000 files. So I need to be able to decode a file through a command line interface. As I've observed in the wireshark user guide there's a -d option which is the same as Decode as in the GUI version. however, my wireshark does not recognize -d as a valid option. I have also used tshark but it does not FAST as a valid dissector. I would appreciate if anyone could help me with this problem. Why there is no -d option in wireshark and tshark does not recognize FAST while there is FAST dissector available in wireshark GUI version. What's the best way to dissect a massive pcap file? Thanks. asked 20 Feb '13, 13:29  fhaghigh edited 21 Feb '13, 18:57  Guy Harris ♦♦ |
One Answer:
Are you talking about the FAST dissector plugin? If so, then it might be better to ask the authors of that plugin how and if it works with your version of Wireshark. Their web site
There is an example how to "decode as FAST" (tshark option -o).
Regarding your question how to split a large capture file. Please read the following questions/answers.
Maybe SplitCap and/or CapLoader are also interesting for you
Regards answered 20 Feb '13, 14:09  Kurt Knochner ♦ edited 20 Feb '13, 14:16 |
Thanks so much for your help.
You're welcome.
Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions.