Ethereal-users: Re: [Ethereal-users] Filter Question(Like we've never seen one of these...)

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Ian Schorr <spamcontrol2@xxxxxxxxxxx>
Date: Wed, 26 Nov 2003 01:15:13 -0500
Ron,

Try:

tethereal -R -r "origfile.cap" frame.number > 4000000 -w "newfile.cap"

or

tethereal -R -r "origfile.cap" frame.time_relative > 120 -w "newfile.cap"
The first will write all packets from "origfile.cap" greater than 4,000,000 to "newfile.cap"
The second will write all packets from "origfile.cap" that occurred more than two minutes after the first frame in the trace, to "newfile.cap".
You can also use editcap to split files based on frame numbers (a tad simpler and usually faster), see the docs and the man page. 

Ian

Ronald Prague wrote:


I've got a very very large capture file(800MB), its so big I can't
convert it to a text dump, and ethereal can't open it without crashing.

I'd like to know if you can run a tethereal filter against it to just
get say all frames > 4000000 or all frames within a certain time window?

Ron

_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users