Wireshark-users: Re: [Wireshark-users] How to extract raw TCP data with command line ?

Date: Mon, 13 Aug 2012 14:37:29 +0000

For that much data I really think you want to look at cascade pilot (http://www.riverbed.com/us/products/cascade/cascade_pilot.php) it deals with huge captures much better. Once you filter down to what your looking for you can then send just that data from Pilot out to Wireshark to get at the bytes.

 

If you still just want to use just wireshark I think you would be better off breaking it down in to smaller chunks. You can used editcap.exe to break the file up in to chunks with x amount of packets or time in each file or pull out a specific time frame in to its own file. You could try to use tshark to filter specific streams or types of traffic in to its own file but I’m not sure what tshark will do with a 100gb capture.

 

Hope that helps

 

 

From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Lecointe, Nicolas
Sent: Monday, August 13, 2012 8:27 AM
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] How to extract raw TCP data with command line ?

 

All,

 

In Wireshark, we can extract raw TCP data by "Follow TCP Stream" + "Save As".

But Wireshark can't open very large capture file (+100 GB). How can I extract raw TCP data with command line ?

 

Thanks

Nicolas