On Jan 25, 2007, at 8:23 PM, Stuart MacDonald wrote:
I've read the man pages on the tools that come with Wireshark. I was
hoping to find a tool that opens a capture, applies a filter and
outputs matching packets to a new file. Here's a sample run of the
hypothetical filtercap tool:
# filtercap -r very-large.eth -w only-infrequent.eth -f
"tcp.port==50000"
tcpdump -r very-large.eth -w only-infrequent.eth tcp port 50000
That can't do arbitrary display filtering, but truly *arbitrary*
display filtering has problems with reassembly (i.e., a filter that
matches something in the reassembled portion of the packet can't match
anything but the last packet). It also can't handle non-libpcap
capture files, but given that your capture file is *from* tcpdump,
it's obviously readable by tcpdump....
tshark is almost the right thing, except that tshark also tries to
read in the whole capture first instead of processing it like editcap.
No, actually, it *does* process it like editcap; neither it nor
Wireshark read the entire capture file into memory. They *do* keep
reassembled data in memory, but that's another matter.