Hi experts, I know that open a big trace file by wireshark will be slower than opening a relatively small trace file. How would you deal with it generally? Is there any better way to do this? thanks a lot! asked 23 Jan '14, 06:51  SteveZhou |
2 Answers:
There are two ways
Regards answered 23 Jan '14, 07:51  Kurt Knochner ♦ |
tshark -Y reads a trace record and applies a filter to it. If the filter condition is true, the packet will be processed (displayed or with -w written to a new file.) answered 27 Jan '14, 22:00  mrEEde |
thank you, Kurt. [to myself notes: editcap is an application located in the wireshark installation direcotry, just as tshark.]
By the way, is there any options for tshark which can read just part of the trace file so that we don't need to load the entire trace, it will also reduce time for loading data.
Hm, do you mean something like this?
-Y "frame.time_relative > 30 and frame.time_relative < 40"
-Y " frame.numbger gt 45000 and frame.number le 55000"
Hi mrEEde,
sorry, I have no experience with tshark before so I'm trying to understand what you typed. I found the following two options for tshark:
-R <read filter=""> packet Read filter in Wireshark display filter syntax -Y <display filter=""> packet displaY filter in Wireshark display filter syntax
My goal is to read just part of a big trace file just like you mentioned above. But would tshark actually read the entire big trace file into memory and then apply display filter by running the -R or -Y option? If that is the case, tshark still needs to read the entire big file and consume lot of time.