An older capture now produces file sizes that are too large for WS to open. Is there a way to tell WS to open just a portion of the file, or to split the file into smaller pieces? It is not possible to change the capture at this time.

asked 19 Dec '11, 13:26

truman220's gravatar image

truman220
1111
accept rate: 0%


I think editcap ought to be able to help you here. Read about it in the man page or the user guide.

link

answered 19 Dec '11, 13:33

cmaynard's gravatar image

cmaynard ♦
6.2k725106
accept rate: 17%

I use SplitCap. It automatically splits a capture file by "flow" (combination of Source IP/Port and Dest IP/Port)

link

answered 19 Dec '11, 15:34

jdwegner's gravatar image

jdwegner
1
accept rate: 0%

edited 19 Dec '11, 15:38

cmaynard's gravatar image

cmaynard ♦
6.2k725106

link

answered 21 Dec '11, 07:14

thetechfirm's gravatar image

thetechfirm
294
accept rate: 0%

edited 21 Dec '11, 14:44

Guy%20Harris's gravatar image

Guy Harris ♦♦
11.6k227146

TShark and SplitCap
SplitCap is a great tool, but if you have a large capture file you end up with a lot of output files.
Sample capture file SIP_CALL_RTP_G711 (rename the file to SIP_CALL_RTP_G711.pcap).

TShark
Run this command to get an overview of the tcp and udp conversations:
$ tshark –r SIP_CALL_RTP_G711.pcap –q –z conv,tcp –z conv,udp

SplitCap
You can use the overview to build your filter for SplitCap. You can filter on ip addresses and/or port numbers to split the file.

You can use the option –s nosplit to create a single output file.

Here are some examples:
$ splitcap -r SIP_CALL_RTP_G711.pcap -port 23 -port 110
$ splitcap -r SIP_CALL_RTP_G711.pcap -port 23 -port 110 -s nosplit
$ splitcap -r SIP_CALL_RTP_G711.pcap -ip 200.73.183.213 -port 110 –s nosplit
$ splitcap -r SIP_CALL_RTP_G711.pcap -ip 200.57.7.204 –s nosplit

link

answered 21 Dec '11, 15:50

joke's gravatar image

joke
1.2k3729
accept rate: 9%

I used editcap -r filein fileout 1-80000 to make manageable chunks for Excel. Thanks for the help!

link

answered 22 Dec '11, 13:44

truman220's gravatar image

truman220
1111
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×6

Asked: 19 Dec '11, 13:26

Seen: 6,703 times

Last updated: 22 Dec '11, 13:44

powered by OSQA