that sounds like the job for a shellscript
run the captures to capture a more reasonable 100mbyte at a time
instead of tiny 10mbyte.
then run something like :
ls *.cap | while read CAPFILE; do tshark -n -r ${CAPFILE} -w
${CAPFILE}.ldap -R "ldap.authentication==0" ; done
mergecap -w all_simple_sasl.cap *.cap.ldap
If you are on windows and thus shellscript challenged you can
improve your wireshark experience by installing cygwin so that simple
things like this become scriptable.
On 10/26/06, Stephen Fisher <stephentfisher@xxxxxxxxx> wrote:
On Thu, Oct 26, 2006 at 04:49:45PM +1000, sallas@xxxxxxxxxx wrote:
> Cheers, I had tried using 'tcp port 389' but in needing to do a 24hr
> capture resulted in a lot of info. Even when splitting the data
> amongst multiple files resulted in 10Mb x 260 files. Opening this many
> files would be too much. I'm not sure of what the maximum file size
> WireShark can handle in opening, may give 150Mb a go instead of 10Mb
> multiple file sizes.
This page gives some tips on improving performance when using large
capture files:
http://wiki.wireshark.org/Performance
The size of capture file supported is only limited by the amount of RAM
you have and CPU speed to process all of the packets. I don't think
there is an official upper limit.
Steve
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users