This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how to split a microsoft Network monitor3.x output file by editcap

0

Hi we get a *.cap file from microsoft Network monitor3.x tools. but it's too large for analysis. when we want to split those file by editcap.exe but no file create. editcap -c 5000 -F netmon2 D:\MicrosoftNTP.cap D:\temp

how to specify the input file type of editcap . the -T -F parameter is only used for output file.

asked 18 Aug '17, 05:07

neil_hao's gravatar image

neil_hao
26101114
accept rate: 0%


One Answer:

1

how to specify the input file type of editcap

You can't.

Because you don't have to.

The library that Wireshark, TShark, editcap, capinfos, etc. uses to read capture files figures out the file type for you.

answered 18 Aug '17, 21:28

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

thanks, but how to split this file by tshark? after we run script "editcap -c 5000 -F netmon2 D:\MicrosoftNTP.cap D:\temp", the output file is broken and cant opened by wireshark

(20 Aug '17, 23:17) neil_hao
1

editcap ... the output file is broken and cant opened by wireshark

That would therefore be a bug in editcap - if it writes a file that can't be read by Wireshark, that's a bug.

Please file a but on the Wireshark Bugzilla, and attach the input file you're using, so we can try to reproduce it.

(20 Aug '17, 23:47) Guy Harris ♦♦