After review a 2GB pcap file in wireshark, is there anyway can split file in half. I tried r running editcap from root; but got message "Less data was read than was expected" using the latest version of Wireshark. asked 24 Sep '14, 22:43  Z2869 |
3 Answers:
"editcap -c 100000 in.pcap out.pcap" usually works fine for me - what kind of parameters did you use? answered 25 Sep '14, 01:02  Jasper ♦♦ |
As Jasper said, editcap should work. But you could also do it from the GUI. For example if you have a 100-packet capture you want to split in half:
answered 25 Sep '14, 06:12  JeffMorriss ♦ Jasper and Jeff, Kudos. I did just that same and got the message ""Less data was read than was expected", I tried reloaded same capture and got same "error message" Jeff I will give your idea as try. I am so thank for both of your replies. I will let you folks know how it goes. vr Jamie (25 Sep '14, 07:52) Z2869 I got it to work but had to do alot of playing with > and = values etc. I wsa able to find or write a script to split files, have well over 4TB to do. :-( (25 Sep '14, 12:14) Z2869 Hmm if you have that much data you really should be using editcap. I'd suggest opening a bug report about editcap (including a sample capture, of course) and/or trying out the latest buildbot version of Wireshark to see if the problem is already fixed. That being said, it's also possible that it could be done with tshark but I couldn't tell you if you need the "-R" or "-Y" argument (there's some funniness with tshark and frame numbers depending on how you're doing your filtering--and I don't remember the conclusion of those discussions). (25 Sep '14, 12:41) JeffMorriss ♦ |
Kudos Jeff will follow up after to do as you suggest as well check latest build v. Thanks for taking time to follow up with me. v/r Jamie answered 25 Sep '14, 19:24 Z2869 |
Jasper, I tried what you suggested but only got one record, not sure what I doing wrong. Do you have a good contact number if you wouldn't mind sharing. vr Jamie