Wireshark-users: Re: [Wireshark-users] filtering in non-GUI mode

From: Julian Fielding <jfielding@xxxxxxxxxxxxxxx>
Date: Mon, 20 Jul 2009 21:39:13 +0100
Andrej van der Zee wrote on Sat, 18 Jul 2009 00:52:51 +0900

>> Maybe you will need to use the command-based tshark utility which comes 
with Wireshark:
>> - tshark -r dump.cap -R "ip.addr == 1.2.3.4" -w new_file.cap
>> - Then "wireshark new_file.cap" would just be fine.
>>
>
>Thanks for the tip! I didn't know tshark.
>
>The problem is that tshark also get's huge until it reaches it's
>maximum process size (somewhere around 3GB for a 1.3GB cap-file). Why
>does it needs so much memory? Can't it handle package by package?

Wire/Tshark are too good! They are essentially the same program. They 
maintain state about all packets. You don't need that, probably, but it 
means a big enough file will cause either to run out of memory.

Use editcap to split the big file into lots of small ones, then filter 
them with tshark, then use mergecap to combine the results. Those are all 
command line tools, so you can automate the process.

editcap -c100000 dump.cap split_file.cap

That will generate files like:
split_file_00000_20090720200100,cap
split_file_00001_20090720210000.cap
and so on.

The 100000 is the size of each split file in frames. I find that small 
enough so Wireshark is reasonably fast on my system. You could make it 
bigger if you're only going to run tshark on them.

Julian.