This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

After review a 2GB pcap file in wireshark, is there anyway can split file in half. I tried r running editcap from root; but got message "Less data was read than was expected" using the latest version of Wireshark.

asked 24 Sep '14, 22:43

Z2869's gravatar image

Z2869
11112
accept rate: 0%


"editcap -c 100000 in.pcap out.pcap" usually works fine for me - what kind of parameters did you use?

permanent link

answered 25 Sep '14, 01:02

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Jasper, I tried what you suggested but only got one record, not sure what I doing wrong. Do you have a good contact number if you wouldn't mind sharing. vr Jamie

(25 Sep '14, 09:58) Z2869

As Jasper said, editcap should work.

But you could also do it from the GUI. For example if you have a 100-packet capture you want to split in half:

  1. Use a display filter of "frame.number < 50"
  2. File->Export Specified Packets
  3. Only export the displayed packets
  4. Repeat 1-3 with a filter of "frame.number >= 50"
permanent link

answered 25 Sep '14, 06:12

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

Jasper and Jeff, Kudos. I did just that same and got the message ""Less data was read than was expected", I tried reloaded same capture and got same "error message" Jeff I will give your idea as try. I am so thank for both of your replies. I will let you folks know how it goes. vr Jamie

(25 Sep '14, 07:52) Z2869

I got it to work but had to do alot of playing with > and = values etc. I wsa able to find or write a script to split files, have well over 4TB to do. :-(

(25 Sep '14, 12:14) Z2869

Hmm if you have that much data you really should be using editcap. I'd suggest opening a bug report about editcap (including a sample capture, of course) and/or trying out the latest buildbot version of Wireshark to see if the problem is already fixed.

That being said, it's also possible that it could be done with tshark but I couldn't tell you if you need the "-R" or "-Y" argument (there's some funniness with tshark and frame numbers depending on how you're doing your filtering--and I don't remember the conclusion of those discussions).

(25 Sep '14, 12:41) JeffMorriss ♦

Kudos Jeff will follow up after to do as you suggest as well check latest build v. Thanks for taking time to follow up with me. v/r Jamie

permanent link

answered 25 Sep '14, 19:24

Z2869's gravatar image

Z2869
11112
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×238
×26
×24
×16
×2

question asked: 24 Sep '14, 22:43

question was seen: 35,134 times

last updated: 25 Sep '14, 19:24

p​o​w​e​r​e​d by O​S​Q​A