How to get random packets from a .pcap file?

asked 2017-11-02

updated 2017-11-02

I am trying to get a random subset of packets from a .pcap file. To do so, I have written the following shell script:

selected_packet_numbers=$(shuf -i 0-"$large_number" -n "$smaller_number")
editcap -r capture.pcap capture-selected.pcap $selected_packet_numbers

However, editcap is giving me the following error:

Out of room for packet selections

Using a shell loop would take an unreasonably long time.

What can I do to select a random subset of packets from a .pcap file?

answered 2017-11-02

Unless something has changed, there will be a limit to the number of packets or ranges you can specify in a single run of editcap (it might be still 100 or could have been increased to 512)

So you might need to work with that.

In Wireshark 2.x this is set to 512.

Jaap ( 2017-11-02 )

