This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Splitting a large file

1

An older capture now produces file sizes that are too large for WS to open. Is there a way to tell WS to open just a portion of the file, or to split the file into smaller pieces? It is not possible to change the capture at this time.

asked 19 Dec '11, 13:26

truman220's gravatar image

truman220
31113
accept rate: 0%

5 Answers:

1

I think editcap ought to be able to help you here. Read about it in the man page or the user guide.

answered 19 Dec '11, 13:33

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

1

I used editcap -r filein fileout 1-80000 to make manageable chunks for Excel. Thanks for the help!

answered 22 Dec '11, 13:44

truman220's gravatar image

truman220
31113
accept rate: 0%

0

I use SplitCap. It automatically splits a capture file by "flow" (combination of Source IP/Port and Dest IP/Port)

answered 19 Dec '11, 15:34

jdwegner's gravatar image

jdwegner
1
accept rate: 0%

edited 19 Dec '11, 15:38

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142

0

I posted a vid showing how to do this with editcap.

answered 21 Dec '11, 07:14

thetechfirm's gravatar image

thetechfirm
64116
accept rate: 0%

edited 21 Dec '11, 14:44

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

0

TShark and SplitCap
SplitCap is a great tool, but if you have a large capture file you end up with a lot of output files.
Sample capture file SIP_CALL_RTP_G711 (rename the file to SIP_CALL_RTP_G711.pcap).

TShark
Run this command to get an overview of the tcp and udp conversations:
$ tshark –r SIP_CALL_RTP_G711.pcap –q –z conv,tcp –z conv,udp

SplitCap
You can use the overview to build your filter for SplitCap. You can filter on ip addresses and/or port numbers to split the file.

You can use the option –s nosplit to create a single output file.

Here are some examples:
$ splitcap -r SIP_CALL_RTP_G711.pcap -port 23 -port 110
$ splitcap -r SIP_CALL_RTP_G711.pcap -port 23 -port 110 -s nosplit
$ splitcap -r SIP_CALL_RTP_G711.pcap -ip 200.73.183.213 -port 110 –s nosplit
$ splitcap -r SIP_CALL_RTP_G711.pcap -ip 200.57.7.204 –s nosplit

answered 21 Dec '11, 15:50

joke's gravatar image

joke
1.3k4934
accept rate: 9%