What about 'grep'?
I used it a lot in my DOS days. I'm sure there is/are
Windows versions. It's quite powerful with many
wildcard characters and search patterns. It will do a
lot of filtering for you.
You mauy have to run it several times for the
different search parameters.
John
--- Guy Harris <guy@xxxxxxxxxxxx> wrote:
>
> On Jan 25, 2007, at 8:23 PM, Stuart MacDonald wrote:
>
> > I've read the man pages on the tools that come
> with Wireshark. I was
> > hoping to find a tool that opens a capture,
> applies a filter and
> > outputs matching packets to a new file. Here's a
> sample run of the
> > hypothetical filtercap tool:
> > # filtercap -r very-large.eth -w
> only-infrequent.eth -f
> > "tcp.port==50000"
>
> tcpdump -r very-large.eth -w only-infrequent.eth
> tcp port 50000
>
> That can't do arbitrary display filtering, but truly
> *arbitrary*
> display filtering has problems with reassembly
> (i.e., a filter that
> matches something in the reassembled portion of the
> packet can't match
> anything but the last packet). It also can't handle
> non-libpcap
> capture files, but given that your capture file is
> *from* tcpdump,
> it's obviously readable by tcpdump....
>
>
> > tshark is almost the right thing, except that
> tshark also tries to
> > read in the whole capture first instead of
> processing it like editcap.
>
> No, actually, it *does* process it like editcap;
> neither it nor
> Wireshark read the entire capture file into memory.
> They *do* keep
> reassembled data in memory, but that's another
> matter.
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
>
http://www.wireshark.org/mailman/listinfo/wireshark-users
>
Endings must come
before new beginnings.