This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Time slicing captured files - editcap

0

I'm trying to time slice of a captured file.

using editcap <file_in> <file_out> I get the whole input file.

Using editcp -r <file_in> <file_out> I get the output file with only a couple lines of data.

Using editcp -r -A -B yyyy-mm-dd hh:mm:ss yyyy-mm-dd hh:mm:ss <file_in> <file_out> I get error feedback of incorrect DTG.

Using editcp -r -A -B yyyy-mm-ddhh:mm:ss yyyy-mm-ddhh:mm:ss <file_in> <file_out> I get only one line in the file.

asked 14 Apr '11, 10:11

fredhoef's gravatar image

fredhoef
1111
accept rate: 0%

edited 26 Feb '12, 22:31

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142

One Answer:

1

Let me give you an example on how to use editcap to create a timeslice of a tracefile. When you want to keep only packets with timestamps between 11:00 to 13:00 on April 14th 2011, you would use the command:

editcap -A "2011-04-14 11:00:00" -B "2011-04-14 13:00:00" infile.cap outfile.cap

Hope this helps :-)

answered 14 Apr '11, 11:09

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%