I have a PCAP file with 2,949,187 packets. I would like to use tshark to dissect some of the packets so that I can do further analysis. I am doing this by having tshark write the packets out (in JSON format) to a file, which I can then process.
If I look at the first 100 packets, like this:
tshark -r INFILE.pcap -T json -a packets:100 "frame.number>=1 && frame.number<=100" > OUTFILE.json
things are quite fast. The "-a" tag lets me tell tshark to stop once it has found 100 packets, so writing out this file takes about 0.8 seconds. Which, in my application, is fine.
But if I want to go deeper into the file, it seems like tshark has to process all of the packets along the way. So
tshark -r INFILE.pcap -T json -a packets:101 "frame.number>=2900000 && frame.number<=2900100" > OUTFILE.json
takes 168.4 seconds to complete.
I've looked in the user guide and don't see anything, but am wondering if more experienced hands have some ideas. Is there a way to tell tshark that it doesn't have to completely process these first 2.9M packets (in this case)? I've done a similar thing on my own using a node.js pcap parser, and it's much faster than this. But I want to take advantage of tshark's dissection engine, so it would be convenient if tshark knew how to simply blow by a whole section of the capture.
Is that possible?
