This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Splitting a large file

1

An older capture now produces file sizes that are too large for WS to open. Is there a way to tell WS to open just a portion of the file, or to split the file into smaller pieces? It is not possible to change the capture at this time.

asked 19 Dec '11, 13:26

truman220's gravatar image

truman220
31113
accept rate: 0%

5 Answers:
active answersoldest answersnewest answerspopular answers
1

I think editcap ought to be able to help you here. Read about it in the man page or the user guide.

permanent link

answered 19 Dec '11, 13:33

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

1

I used editcap -r filein fileout 1-80000 to make manageable chunks for Excel. Thanks for the help!

permanent link

answered 22 Dec '11, 13:44

truman220's gravatar image

truman220
31113
accept rate: 0%

0

I use SplitCap. It automatically splits a capture file by "flow" (combination of Source IP/Port and Dest IP/Port)

permanent link

answered 19 Dec '11, 15:34

jdwegner's gravatar image

jdwegner
1
accept rate: 0%

edited 19 Dec '11, 15:38

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
0

I posted a vid showing how to do this with editcap.

permanent link

answered 21 Dec '11, 07:14

thetechfirm's gravatar image

thetechfirm
64116
accept rate: 0%

edited 21 Dec '11, 14:44

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
0

TShark and SplitCap
SplitCap is a great tool, but if you have a large capture file you end up with a lot of output files.
Sample capture file SIP_CALL_RTP_G711 (rename the file to SIP_CALL_RTP_G711.pcap).

TShark
Run this command to get an overview of the tcp and udp conversations:
$ tshark –r SIP_CALL_RTP_G711.pcap –q –z conv,tcp –z conv,udp

SplitCap
You can use the overview to build your filter for SplitCap. You can filter on ip addresses and/or port numbers to split the file.

You can use the option –s nosplit to create a single output file.

Here are some examples:
$ splitcap -r SIP_CALL_RTP_G711.pcap -port 23 -port 110
$ splitcap -r SIP_CALL_RTP_G711.pcap -port 23 -port 110 -s nosplit
$ splitcap -r SIP_CALL_RTP_G711.pcap -ip 200.73.183.213 -port 110 –s nosplit
$ splitcap -r SIP_CALL_RTP_G711.pcap -ip 200.57.7.204 –s nosplit

permanent link

answered 21 Dec '11, 15:50

joke's gravatar image

joke
1.3k4934
accept rate: 9%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Question tags:

×7

question asked: 19 Dec '11, 13:26

question was seen: 28,332 times

last updated: 22 Dec '11, 13:44

Related questions

Tool for splitting voip calls to separate files

How to split voip to saperate pcap files in easy way

Fragmentation problems

Split pcap file into smaller pcap file (according to tcp flow)

Reassembling/Merge failure

how to split a .pcap file

about | faq | privacy | support | contact

p​o​w​e​r​e​d by O​S​Q​A