This site was behind a Cloudflare proxy between September 22, 2016 and February 18th, 2017 and might be subject to sensitive information leaks. See this blog post for more details.

An older capture now produces file sizes that are too large for WS to open. Is there a way to tell WS to open just a portion of the file, or to split the file into smaller pieces? It is not possible to change the capture at this time.

asked 19 Dec '11, 13:26

truman220's gravatar image

truman220
31113
accept rate: 0%


I think editcap ought to be able to help you here. Read about it in the man page or the user guide.

link

answered 19 Dec '11, 13:33

cmaynard's gravatar image

cmaynard ♦
8.7k836133
accept rate: 20%

I used editcap -r filein fileout 1-80000 to make manageable chunks for Excel. Thanks for the help!

link

answered 22 Dec '11, 13:44

truman220's gravatar image

truman220
31113
accept rate: 0%

I use SplitCap. It automatically splits a capture file by "flow" (combination of Source IP/Port and Dest IP/Port)

link

answered 19 Dec '11, 15:34

jdwegner's gravatar image

jdwegner
1
accept rate: 0%

edited 19 Dec '11, 15:38

cmaynard's gravatar image

cmaynard ♦
8.7k836133

link

answered 21 Dec '11, 07:14

thetechfirm's gravatar image

thetechfirm
64116
accept rate: 0%

edited 21 Dec '11, 14:44

Guy%20Harris's gravatar image

Guy Harris ♦♦
16.8k335190

TShark and SplitCap
SplitCap is a great tool, but if you have a large capture file you end up with a lot of output files.
Sample capture file SIP_CALL_RTP_G711 (rename the file to SIP_CALL_RTP_G711.pcap).

TShark
Run this command to get an overview of the tcp and udp conversations:
$ tshark –r SIP_CALL_RTP_G711.pcap –q –z conv,tcp –z conv,udp

SplitCap
You can use the overview to build your filter for SplitCap. You can filter on ip addresses and/or port numbers to split the file.

You can use the option –s nosplit to create a single output file.

Here are some examples:
$ splitcap -r SIP_CALL_RTP_G711.pcap -port 23 -port 110
$ splitcap -r SIP_CALL_RTP_G711.pcap -port 23 -port 110 -s nosplit
$ splitcap -r SIP_CALL_RTP_G711.pcap -ip 200.73.183.213 -port 110 –s nosplit
$ splitcap -r SIP_CALL_RTP_G711.pcap -ip 200.57.7.204 –s nosplit

link

answered 21 Dec '11, 15:50

joke's gravatar image

joke
1.3k4933
accept rate: 9%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×6

Asked: 19 Dec '11, 13:26

Seen: 20,450 times

Last updated: 22 Dec '11, 13:44

p​o​w​e​r​e​d by O​S​Q​A