Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2018-05-21 15:51:07 +0000

pavja2 gravatar image

Filter only withing displayed packets (without re-analyzing entire file)

When working with very large files, is it possible to perform filtering operations within the context of a previous query?

For example, if I have a 500MB file and I use a display filter to show all 1000 ftp packets but then want to add "and frame contains 'Error'" to that filter wireshark will parse the entire 500 MB pcap file for packets that match both conditions and take far longer than if it just checked the 1000 packets it had already found.

Is there a better way to do this kind of search operation?

Filter only withing displayed packets (without re-analyzing entire file)

When working with very large files, is it possible to perform filtering operations within the context of a previous query?

For example, if I have a 500MB file and I use a display filter to show all 1000 ftp packets but then want to add "and frame contains 'Error'" to that filter wireshark will parse the entire 500 MB pcap file for packets that match both conditions and take far longer than if it just checked the 1000 packets it had already found.

Is there a better way to do this kind of search operation?

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2