Wireshark-users: [Wireshark-users] Betr: How to filter out last 1000 frames in a quick way

Date: Mon, 23 Jun 2008 16:52:40 +0200
>Bin Zhou wrote:
>Sometime, I capture a big size of file, but I may need to do voip calls
>analysis for a snapshot. For example, it is good enough for me to see
>flows of last one thousand packets.
>
>If there is a quick way to filter out last 1000 frames without going to
>the frame or packet detail level, it will be very helpful.


You can use capinfos to print information about the capture file.
Use the option -c if you just want to display the number of packets.

Next you can use editcap with the option -r to select the last 1000 packets
and save them to another file.


Fr@UFH /A6
$ capinfos test.pcap
File name: test.pcap
File type: Wireshark/tcpdump/... - libpcap
File encapsulation: Ethernet
Number of packets: 15930
File size: 15563769 bytes
Data size: 15308865 bytes
Capture duration: 598.584067 seconds
Start time: Sun May 25 19:03:20 2008
End time: Sun May 25 19:13:19 2008
Data rate: 25575.13 bytes/s
Data rate: 204601.04 bits/s
Average packet size: 961.01 bytes
Average packet rate: 26.61 packets/s

Fr@UFH /A6
$ capinfos -c test.pcap
File name: test.pcap
Number of packets: 15930

Fr@UFH /A6
$ editcap test.pcap outfile.pcap -r 14931-15930
Add_Selected: 14931-15930
Inclusive ... 14931, 15930

Grtz
Joan