This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Tshark command

0

Hi,

We run the Tshark command from command prompt for particular frame number, In this situation for large pcap files it will take more time to get the packet details.How to minimize the time for tshark.

Ex: tshark.exe -2 -r 1.pcap -Y "frame.number==13725" -T pdml > 1.pdml

Regards, Swathi.

asked 14 Jun '16, 07:08

swathi%20jakkam's gravatar image

swathi jakkam
6778
accept rate: 0%

edited 14 Jun '16, 10:41

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850

One Answer:

0

Have a look at editcap

editcap.exe -r 1.pcap frame13725.pcap 13725

Then use tshark on this file

tshark.exe -2 -r 13725.pcap -T pdml > 1.pdml

Warning: This also causes none of the context of the original capture being available when dissecting this single frame. Therefore results may differ.

Still editcap may be helpful, eg. if you are able to cut capture files in half or smaller.

answered 14 Jun '16, 07:27

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

edited 14 Jun '16, 10:42

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850

Thanks for reply.the above commands are working for normal pcap file. But I have another doubt, How to apply the ssl key file (-o ssl.keylog_file) to editcap.exe command.

Regards, Swathi.

(15 Jun '16, 00:46) swathi jakkam