Hello :
Maybe you will need to use the command-based tshark utility which comes with Wireshark:
- tshark -r dump.cap -R "ip.addr == 1.2.3.4" -w new_file.cap
- Then "wireshark new_file.cap" would just be fine.
Hopefully it helps.
Regards,
-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Andrej van der Zee
Sent: Friday, July 17, 2009 9:33 AM
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] filtering in non-GUI mode
Hi,
I have huge capture files and I would like to filter them, without
loading the whole cap-file. The display filter does what I want
(wireshark -R ip.addr==1.2.3.4 dump.cap), but instead of buffering
everything into the GUI, I would like to output the filtered packages
to a new cap-file. The original cap-file is 1.3GB and Wireshark will
get passed its maximum allowed process-memory when it loads it.
Is there a way to filter in non-GUI mode?
Thank you,
Andrej
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe