This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi,

I am using tshark and I would like to store 802.11 header traffic in text format of a live capture. That means that I would like to "cut" the data portion of data frames so that it won't be written to my text file but keep everything else (headers of all data, management and control frames).

I figure that since I am mostly interested on the headers this will dramatically reduce the size of my output files. As of now a 10MB pcap gets translated to a 100MB txt file.

Is it possible to do that with some capture filter option or shall I have to settle using a perl script to cut that portion of the output file in a second phase?

Thanks in advance!

asked 31 Aug '13, 05:46

whiteshark's gravatar image

whiteshark
1111
accept rate: 0%


I figure that since I am mostly interested on the headers this will dramatically reduce the size of my output files.

The best way is to limit the capture size during the capture phase.

tcpdump -ni eth0 -s 100 .....
dumpcap -ni eth0 -s 100 .....
wireshark -ni eth0 -s 100 ....

If you want to truncate a capture file later, you can use editcap.

editcap -s 100 input.pcap output.pcap

The actual capture size depends on your needs, so maybe you just open the current capture file and count the bytes you need.

Regards
Kurt

permanent link

answered 31 Aug '13, 14:26

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×349
×238
×184
×89

question asked: 31 Aug '13, 05:46

question was seen: 2,195 times

last updated: 31 Aug '13, 14:26

p​o​w​e​r​e​d by O​S​Q​A