Ask Your Question
0

Discard packets from a live trace

asked 2020-10-13 15:45:56 +0000

lemur117 gravatar image

My live traces get fairly large and get to where filtering takes a long time. Is there a way to discard unwanted packets from a live trace so that I don't have to restart the trace, but I can keep the live trace lean? E.g., once my trace gets to 500,000 packets, I may want to discard everything below frame.number==450000.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-10-13 15:58:34 +0000

Chuckc gravatar image

updated 2020-10-13 16:03:28 +0000

A ring buffer that rolls the files after a certain size is close to what you're looking for.

Dumpcap is doing the work underneath. Check -b|--ring-buffer to see how the options being set in the Wireshark Gui are used.

edit flag offensive delete link more

Comments

Thanks. That's actually part of my setup on a server, but I'm wanting to keep the ring buffer size fairly large. My live trace is following a ring buffer file as it's being written on a server, piped over ssh to wireshark.

lemur117 gravatar imagelemur117 ( 2020-10-13 16:03:25 +0000 )edit

Is it ok to restart the GUI? What about using a read filter on the Wireshark command line?

-R|--read-filter <read (display) filter>
When reading a capture file specified with the -r flag, causes the specified filter (which uses the syntax of display filters, rather than that of capture filters) to be applied to all packets read from the capture file; packets not matching the filter are discarded.

If you want to keep the original packet number, maybe ignore packets below the frame.number cutoff.

Chuckc gravatar imageChuckc ( 2020-10-13 16:11:27 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2020-10-13 15:45:56 +0000

Seen: 681 times

Last updated: Oct 13 '20