Hello all,
I have a large pcap file that is ~ 5.16GB and I would like to reduce it to a smaller size by filtering out a list of ip addresses. I used the following command on tshark:
C:\Program Files\Wireshark>tshark -r C:\Users\-\Desktop\Botnet-Training.pcap -Y "not(ip.addr==147.32.84.150 or ip.addr==147.32.84.140 or ip.addr==147.32.84.130 or ip.addr==147.32.84.160 or ip.addr==10.0.2.15 or ip.addr==192.168.106.141 or ip.addr==192.168.106.131 or ip.addr==172.16.253.130 or ip.addr==172.16.253.131 or ip.addr==172.16.253.129 or ip.addr==172.16.253.240 or ip.addr==74.78.117.238 or ip.addr==158.65.110.24 or ip.addr==192.168.3.35 or ip.addr==192.168.3.25 or ip.addr==192.168.3.65 or ip.addr==172.29.0.116 or ip.addr==172.29.0.109 or ip.addr==172.16.253.132 or ip.addr==192.168.248.165 or ip.addr==10.37.130.4)" -w C:\Users\-\Desktop\FYP\reduced.pcap
However, I got a file size of ~5.22GB instead.
Any suggestions on why?
Thank you very much