Have to large pcap file. How can i get just the voip thereout. I already tried with time selection (-A -B) asked 23 Nov '11, 10:35  tkwire |
One Answer:
In general splitting up files is easily done with editcap
gives you two ways to split your too big capture file into smaller ones. If you just want to filter voip out of the trace you could use tshark to grab frames matching a specific display filter and save those to a new trace like e.g. for cisco based voip with skinny as signalling protocol answered 23 Nov '11, 13:19  Landi |
i allready tried with editcap packets per file and seconds per file. the problem is, then i get just the first peace of voip and the next peaces are lost. (in the first file is the first peace of voip and in the next file is no voip. so i can get just about 30sec voip from a 30min. voip)
with tshark i get this error massage: This application has requested the Runtime to terminate it in an unusual way. Please contact the application’s support team for more information
my File: 733009451 bytes packets more than 139400 packets (preview timeout) format: modified tcpdump-libpcap
I don't really get the problem why the "next pieces [of voip] are lost" when you use editcap. Tshark might not like the filesize of your pcap, so even if more complicated, maybe you try the following:
I get this massage when i run tshark Read filters were specified both with "-R" and wit additional command-line arguments