This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

split netscalar large trace file

0

How to split large netscalar cap file,it is showing sun snoop file type,tried editcap with no luck

asked 04 Jul '13, 06:00

kishan%20pandey's gravatar image

kishan pandey
221282936
accept rate: 28%

One Answer:

0

Please call editcap with the following option

editcap -F snoop

UPDATE

I'm sorry, I was on the wrong track. -F is just the output file format.

The following command works with a sample snoop file. It will split the original file in pieces of 100 packets.

editcap -c 100 input.snoop output.pcap

Sample file:

http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=genbroad.snoop

BTW: it also works with option -F snoop on my system (Windows XP, Wireshark 1.10.0)

editcap -c 100 -F snoop input.snoop output.pcap

If these commands do not work with your snoop file, please post the wireshark version (wireshark -v) and the error message.

UPDATE 2

O.K. I did a test with a sample nstrace file and this command works.

editcap -c 200 -F nstrace20 nstrace1_test.cap output.pcap

Regards
Kurt

answered 04 Jul '13, 06:29

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 08 Jul '13, 02:15

tried it still not able to split the file,showing error "editcap: Can't open or create output.pcap: Files from that network type can't be saved in that format"

(04 Jul '13, 08:16) kishan pandey

please see my UPDATE in the answer.

(04 Jul '13, 08:32) Kurt Knochner ♦

Please find the capinfo output,it starts with .cap extension not snoop.Wireshark version is 1.8.4.

D:\ndl\Wireshark>capinfos.exe nstrace9.cap File name: nstrace9.cap File type: NetScaler Trace (Version 2.0) File encapsulation: NetScaler Encapsulation 2.0 of Ethernet Packet size limit: file hdr: (not set) Number of packets: 152364 File size: 75546624 bytes Data size: 70570504 bytes Capture duration: 1 seconds Start time: Tue Jul 02 13:47:51 2013 End time: Tue Jul 02 13:47:51 2013 Data byte rate: 79368489.77 bytes/sec Data bit rate: 634947918.14 bits/sec Average packet size: 463.17 bytes Average packet rate: 171359.14 packets/sec SHA1: f61908d04e1b8d46fb9e350b93a1a54bdcf8fd61 RIPEMD160: 9398681630f2bdc6c92d401ea62734f82aece3ff MD5: 866ada08168425a3de8513d163993447 Strict time order: False

(04 Jul '13, 09:39) kishan pandey

it is showing sun snoop file type

O.K. so it is not a snoop file.

So, can you please post the full error message of editcap and the parameters you used?

(04 Jul '13, 11:14) Kurt Knochner ♦

editcap -c 50000 -F snoop nstrace9.cap output.pcap and then it shows an error "editcap: Can't open or create output.pcap: Files from that network type can't be saved in that format."

(05 Jul '13, 01:52) kishan pandey

Try splitting it with a command that does not contain the string "snoop" anywhere.

You cannot write out packets from a NetScaler file into a snoop file or a pcap file or a pcap-ng file or any other file format, because, at least inside Wireshark and its tools, packets from NetScaler files have special NetScaler metadata at the beginning, and no other file formats support that.

Try something such as

editcap -c 50000 nstrace9.cap output.cap
(05 Jul '13, 11:59) Guy Harris ♦♦

Hi Harris,badluck again"editcap -c 50000 -F nstrace9.cap output.cap". "editcap: "nstrace9.cap" isn't a valid capture file type".

(07 Jul '13, 05:04) kishan pandey

Sorry, no -F flag. I've edited my comment to fix that.

(07 Jul '13, 09:39) Guy Harris ♦♦

See UPDATE 2 in my answer.

(08 Jul '13, 02:14) Kurt Knochner ♦

Great Kurt it worked this time,nothing will left unasnswered in this forum.

(08 Jul '13, 22:41) kishan pandey
showing 5 of 10 show 5 more comments