I am using tshark and I would like to store 802.11 header traffic in text format of a live capture. That means that I would like to "cut" the data portion of data frames so that it won't be written to my text file but keep everything else (headers of all data, management and control frames).
I figure that since I am mostly interested on the headers this will dramatically reduce the size of my output files. As of now a 10MB pcap gets translated to a 100MB txt file.
Is it possible to do that with some capture filter option or shall I have to settle using a perl script to cut that portion of the output file in a second phase?
Thanks in advance!
asked 31 Aug '13, 05:46
The best way is to limit the capture size during the capture phase.
If you want to truncate a capture file later, you can use editcap.
The actual capture size depends on your needs, so maybe you just open the current capture file and count the bytes you need.
answered 31 Aug '13, 14:26
Kurt Knochner ♦