Filter only within displayed packets (without re-analyzing entire file)

asked 2018-05-21 15:51:07 +0000

pavja2
1 ●1 ●1 ●3

updated 2018-05-21 16:12:03 +0000

When working with very large files, is it possible to perform filtering operations within the context of a previous query?

For example, if I have a 500MB file and I use a display filter to show all 1000 ftp packets but then want to add "and frame contains 'Error'" to that filter wireshark will parse the entire 500 MB pcap file for packets that match both conditions and take far longer than if it just checked the 1000 packets it had already found.

Is there a better way to do this kind of search operation?

edit retag flag offensive close merge delete

add a comment

1 Answer

Sort by » oldest newest most voted

answered 2018-05-21 16:26:55 +0000

cmaynard

11115 ●11 ●317 ●165 https://www.igt.com/

Currently the way to handle this is to save the 1000 ftp packets to a new file and then continue filtering with the smaller file.

NOTE: There is an old bug that was opened to try to improve this situation and basically implement what you're seeking. See Bug 2578 - snapshot feature: apply filter upon previous displayed packets only for more details.

edit flag offensive delete link

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-05-21 15:51:07 +0000

Seen: 272 times

Last updated: May 21 '18

Filter only within displayed packets (without re-analyzing entire file) edit

1 Answer