[Andrej van der Zee <andrejvanderzee@xxxxxxxxx>]

Hi,

I was wondering if there is a way to make tshark work packet by packet and skip the buffering. I just want to use a display filter on a huge cap-file without going out-of-memory. I know I can first cut in it pieces, but this is becoming a tedious job if you have to do it over and over again, even with scripting. Particularly this following command could be perfectly handled packet by packet, without the buffering (I guess):

tshark -R "ip.addr == 1.2.3.4" -r  huge.cap -w filtered-huge.cap

Or is there another tool that can filter on ip address on big files? 

Thank you,
Andrej