I have a very large pcapng file (about 21GB), and I want to analyze the file in wireshark. Should I split it into small files with editcap? Can editcap handle such a large file? If not, how to do? asked 20 Feb '14, 17:31  metamatrix |
2 Answers:
editcap should be able to handle the file and it think it's absolutely necessary to split or pre-filter the file, as there is no way to load a 21GB file into wireshark or tshark. You can pre-filter the file with tcpdump (e.g. in Linux), by using capture filter, if you know what to look for
Regards answered 20 Feb '14, 21:48  Kurt Knochner ♦ |
Please try splitcap, its a free tool that can be used for filtering very large PCAP files. its very fast and efficient. With a few operators you can split a large file into into its individual IP pair conversations of even further port pair's answered 23 Feb '14, 18:56  deepacket |
Thank you,Kurt. Should I use editcap directly on Windows to split the file? What's the proper parameters if I want to split this file into 2GB files?
You can do it on any platform that editcap supports. Unfortunately you cannot split based on file size with editcap, but you can split based on time and/or number of frames, see the editcap man page. If you need the size feature, there are other tools. Just google for: 'pcap file split'