This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can’t shrink the size of packets in a pcap

0

Try to shrink a pcap by make each packet at most 500 bytes, the following command doesn't seem to work: the resulted file packets in "delme.pcap" is still bigger than 500 bytes.

tshark -r out.pcap -s 500 -w delme.pcap

Could it be because my tshark (v 1.10.6) is not too old? Pcap is here, note that it contains a malware.

asked 09 Sep '15, 21:27

pktUser1001's gravatar image

pktUser1001
201495054
accept rate: 12%

One Answer:

1

the -s parameter in tshark command line will be used during a live capture, not when reading an existing pcap file.

If you want to modify an existing pcap, use editcap instead:

editcap -s 500 out.pcap delme.pcap

answered 09 Sep '15, 22:23

Pascal%20Quantin's gravatar image

Pascal Quantin
5.5k1060
accept rate: 30%

Thanks @pascal-quantin for the explanation!

(10 Sep '15, 07:25) pktUser1001