Wireshark-users: Re: [Wireshark-users] Tshark Filter to create new smaller PCAP

From: "j.snelders" <j.snelders@xxxxxxxxxx>
Date: Wed, 30 Nov 2011 06:19:33 +0100
Hi George,

Here are some other examples:
tshark -r test.pcap -R "eth.addr==01:01:01:01:01:01" -w testout01.pcap

tshark -r test.pcap -R "eth.addr==01:01:01:01:01:01 || eth.addr==02:02:02:02:02:02"
-w testout02.pcap

tshark -r test.pcap -R "ip.addr==1.1.1.1 || eth.addr==01:01:01:01:01:01"
-w testout03.pcap

tshark -r test.pcap -R "ip.addr==1.1.1.1 || ip.addr==2.2.2.2 || eth.addr==01:01:01:01:01:01"
-w testout04.pcap

Best regards
Joke

On Tue, 29 Nov 2011 14:19:27 -0800 (PST) Wes wrote:
>George,
>
>tshark -h is probably easier to understand than the man page, but try something
>like this:
>
>tshark -R ip.addr==1.1.1.1 -r test.pcap -w testout.pcap
>
>Wes
>
>--- On Tue, 11/29/11, George Vandelet <george_vandelet@xxxxxxxxx> wrote:
>Super Users.
>I have a PCAP file that is over 100M.? I wish to open it but my GUI version
>of Wireshark 32.0.0_ofc14 but it crashes each time I try to open it.? I
have
>heard that one can use Tshark to open huge PCAP files then perform a filter
>to focus in on the type of traffic and then save the results to a different
>PCAP file.? Hopefully the new PCAP file will be smaller than the original
>and I can open it with the GUI version of Wireshark.? 
>
>The man page for Tshark is too cryptic for me.? I am hoping that someone
>has done this before and can guide me to which options I need to choose
on
>the TSHARK command to achieve what I want.? I would prefer to filter on
a
>MAC address but can filter on an IP address. 
>
>Can
> someone provide me with an example Tshark command that I could use to accomplish
>this?
>Lets assume the following:??? test.pcap - is the name of the original file
>that is huge
>??? my filter criteria is either an IP address of 1.1.1.1 or a MAC is 01:01:01:01:01:01???
>testout.pcap - is the name of the file I wish to make using one of the above
>filters that hopefully will contain only a small amount of packets and result
>in a PCAP file that I can open with the GUI version of Wireshark.
>Thanks,
>George