This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

capture file too large to parse

0

Is there a way to take a already captured file (like 150mb) and turn it into several smaller files that are easier to manage?

asked 17 Nov '11, 08:48

gtefft's gravatar image

gtefft
1112
accept rate: 0%


One Answer:

4

Yes, you can slice it into smaller files using editcap -c 100000 <infile.pcap> <outfile.pcap>, which will slice the infile.pcap in multiple files with 100,000 frames each (or any other number you put in there). editcap is installed together with the wireshark executable.

As long as you can load the file into Wireshark you might also save partial files using the "save as" option, and use the "Packet Range" pane to set the boundaries, for example a range like "1-100000", followed by "100001-200000", etc.

answered 17 Nov '11, 08:53

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 17 Nov '11, 08:54

thanks so much

(17 Nov '11, 09:23) gtefft