I'm trying to load part of a tcpdump file into ethereal (the whole
file is too big for my machine). The "-R" option seems just the thing.
However, I cannot seem to make it work, even with simple test cases like
ethereal -r t.dump -R 'frame.number == 1'
which displays no packets at all. Other attempts (e.g.
"frame.relative_time < 5") show all the packets.
FWIW, tethereal does the right thing:
$ tethereal -r t.dump -R 'frame.number == 1'
1 0.000000 192.168.0.102 -> 192.168.0.255 CUPS ipp://zero.lsli.com:631/printers/Lexmark (idle)
This is all Debian stable (sarge), here's the version info:
ethereal 0.10.10
Compiled with GTK+ 2.6.4, with GLib 2.6.4, with libpcap 0.8.3, with libz 1.2.2,
with libpcre 5.0, without UCD-SNMP or Net-SNMP, with ADNS.
Running with libpcap version 0.8.3 on Linux 2.4.27-2-686.
tethereal 0.10.10
Compiled with GLib 2.6.4, with libpcap 0.8.3, with libz 1.2.2, with libpcre 5.0,
without UCD-SNMP or Net-SNMP, with ADNS.
Running with libpcap version 0.8.3 on Linux 2.4.27-2-686.
The changelog from 0.10.10 to 0.10.12 doesn't show anything that leaps
out.
(Yes, I know I can use tethereal's '-w' option to create a new dump
file, and ethereal to browse it, and I will, but I thought I'd post,
because either there's a bug or I'm an idiot. Let me know which!)
Thanks,
Steve
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask
about Exchange Server next.
-- (Stolen from the net)