Wireshark · Wireshark-users: Re: [Wireshark-users] How to filter out last 1000 frames in a quick way

Wireshark-users: Re: [Wireshark-users] How to filter out last 1000 frames in a quick way

From: Hansang Bae <hbae@xxxxxxxxxx>

Date: Mon, 07 Jul 2008 15:28:04 -0400

Abhik Sarkar wrote:

Or, if you are in a *nix environment (or have Cygwin on Windows), with
a bit of scripting, you can do the following:
use capinfos to get the number of packets in the file:
$ capinfos -c test.cap
File name: test.cap
Number of packets: 8802

Then use something like:
$ editcap -r test.cap extract.cap 7803-8802

Then, extract.cap will have the last 1000 packets!

This method is longer than what Hansang suggested, but will result in
exactly one file which is of interest to you ;-)

Very true! And you never know, the "final" file could have just 800packets it in, so this is a better approach.



--

Thanks,
Hansang

References:
- Re: [Wireshark-users] How to filter out last 1000 frames in a quick way
  - From: Hansang Bae
- Re: [Wireshark-users] How to filter out last 1000 frames in a quick way
  - From: Abhik Sarkar

Prev by Date: Re: [Wireshark-users] add random packet lost
Next by Date: Re: [Wireshark-users] how to print time with epoch formation by tshark
Previous by thread: Re: [Wireshark-users] How to filter out last 1000 frames in a quick way
Next by thread: Re: [Wireshark-users] BPDU packets
Index(es):
- Date
- Thread