I need to filter a big pcap, I can use display filter, but it's typically slower than capture filter. However I got the following message:
When how can I use capture filter for tshark to read from a file.
asked 29 Apr '15, 12:35
Using a capture filter while reading is not an option in tshark. You could use tcpdump or windump to do that for you:
This will work quicker than tshark and has less memory consumption, so you can process larger files.
answered 29 Apr '15, 13:05