This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Cant use editcap

0

Hi, first of all: I m sorry for my english.

I have the latest wireshark version 1.6.2 The Problem: When i try to open my xxx.eth file with wireshark, it shows me this error: "This application has requested the Runtime to terminate it in an unusual way." The File is about 38 MB and should not be too big, wireshark already worked with 200 mb nd bigger files. I searched in different forums nd tried to use editcap. But when i doubleclick on editcap, a black dos window opens and closes so fast, that i cant read anything. I really dont know much about this stuff :/ can somebody help me pls? For example i found the follwing command in a forum

editcap -c 100000 <yourbigfile> <outfile>

but how do i use it? where can i command it, editcap doesnt even open, so i could be able to command anything!

Thanks :)

PS: if someone wants to answer in german, no prob :)

asked 10 Sep '11, 04:43

weltbeobachter's gravatar image

weltbeobachter
1112
accept rate: 0%


One Answer:

2

You should run editcap from a command line window, since it is a command line tool - if you double click it from the explorer it will exit right away, after showing some usage details.

So start cmd.exe (I think it is called "Eingabeaufforderung" in a german Windows Start Menu, but I'm not sure), change into the Wireshark installation directory (usually "C:\programme\Wireshark") and run editcap. That should work, and show you all the options it has.

Now, in your command line window, change to the directory where the trace is, and call editcap with it's full path (or, if you prefer to run it anywhere without the path you could add the Wireshark installation directory to your system path variable if you know how to do that).

answered 10 Sep '11, 04:52

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 10 Sep '11, 04:53

Wow, that was very fast! Thank You! I followed Your instructions, but i m sorry i didnt understand the last chapter :/

Maybe You can help me, when i provide more details... I can see now all the options of editcap. The istallation directory was right, and the path of the file, i want to split up, is: C:usersXXXXXspeed.eth

Is it posssible, that You show me, what i must write into that dos wondow now?

Thanks again :)

(10 Sep '11, 05:17) weltbeobachter

it is "C:usersXXXXXspeed .eth"

(10 Sep '11, 05:19) weltbeobachter

damn it, it doest show the / sign xD

(10 Sep '11, 05:19) weltbeobachter
1

yeah, you need to put double \ in there to see them.

Try something like this:

c:\programme\wireshark\editcap -c 100000 -F libpcap c:\usersXXXXXspeed.eth c:\tracefile.pcap

which will cut it into files of 100000 packets each, saving them in the libpcap format.

(10 Sep '11, 06:31) Jasper ♦♦

It worked! Thanks a LOT!

(10 Sep '11, 07:03) weltbeobachter