Hi Atdev,
Your command line:
> $mergecap -w merge1_2.cap input1.cap input2.cap|wireshark -w chopped.cap
-b filesize:200 -a files:4 -i 2 merge1_2.cap
If you want to split a capture file in multiple files, you have to use editcap
(and not Wireshark):
editcap -c <packets per file> <inputfile> <outputfile>
$ editcap -c 200 merge1_2.cap split.cap
Wireshark options -b (Capture output: ringbuffer) -a (Capture stop conditions:
autostop)
You only use the options -b and -a in Wireshark or TShark, if you want to
start a life capture and you want to send the output to multiple files.
For all the options take a look at wireshark -h or http://www.wireshark.org/docs/man-pages/wireshark.html
> Could any one explain me how to get the expected behaviour.
$mergecap -w merge1_2.cap input1.cap input2.cap
$editcap -c 200 merge1_2.cap split.cap
The output will be something like:
split.cap-00000
split.cap-00001
split.cap-00002
etc.
You can open those files with Wireshark or TShark.
$ wireshark -r split.cap-00000
$ tshark -r split.cap-00000
Hope this helps
Joan
On Mon, 22 Dec 2008 19:01:28 +0530 atdev wrote:
>Hi All,
>
>I tried the following command to load the packets.
>$mergecap -w merge1_2.cap input1.cap input2.cap|wireshark -w chopped.cap
>-b filesize:200 -a files:4 -i 2 merge1_2.cap
>
>But i havn't got any file as chopped.cap after the execution. It simply
loaded
>merge1_2.cap.
>Could any one explain me how to get the expected behaviour.
>
>thanks and regards,
>Atdev.