Wireshark-users: Re: [Wireshark-users] Large files

Date: Fri, 8 May 2009 20:08:55 +0200
Hi Ujjval,

You can use editcap to split the file:
http://www.wireshark.org/docs/man-pages/editcap.html

First you can use capinfos to display statistics of the capture file:
http://www.wireshark.org/docs/man-pages/capinfos.html

capinfos -c displays the number of packets in the capture file:
$ capinfos -c test.cap
File name: test.cap
Number of packets: 511145

Next you can use editcap with the option -c to set the maximum number of
packets per output file.
In this example 100.000 packets per file. Each output file will be created
with a suffix, starting with -00000.
editcap -c <packets per file> <inputfile> <outputfile>
$ editcap -c 100000 test.cap split.cap

The following command displays the names of the created capture files and
the number of packets in each file. 
$ capinfos -c split.cap*
File name: split.cap-00000
Number of packets: 100000

File name: split.cap-00001
Number of packets: 100000

File name: split.cap-00002
Number of packets: 100000

File name: split.cap-00003
Number of packets: 100000

File name: split.cap-00004
Number of packets: 100000

File name: split.cap-00005
Number of packets: 11145


Hope this helps.
Joan



>From: Ujjval Karihaloo <ujjval@xxxxxxxxxxxxxxxx>
On Fri, 8 May 2009 09:49:23 -0700 Ujjval Karihaloo wrote:
>
>Can we split up large PCAP (about 1 Gig)  files so Windows can open then
>and not run out of memory.