Wireshark-users: Re: [Wireshark-users] filtering in non-GUI mode

From: Andrej van der Zee <andrejvanderzee@xxxxxxxxx>
Date: Sat, 18 Jul 2009 00:52:51 +0900
Hi,

>
> Maybe you will need to use the command-based tshark utility which comes with Wireshark:
> - tshark -r dump.cap -R "ip.addr == 1.2.3.4" -w new_file.cap
> - Then "wireshark new_file.cap" would just be fine.
>

Thanks for the tip! I didn't know tshark.

The problem is that tshark also get's huge until it reaches it's
maximum process size (somewhere around 3GB for a 1.3GB cap-file). Why
does it needs so much memory? Can't it handle package by package?

Cheers,
Andrej