On Tue, Jun 11, 2013 at 10:51 PM, Rayne <hjazz6@xxxxxxxxx> wrote:
> Is there a way to turn off TCP reassembly in tshark? I'm running tshark on
> multiple files using a script on a Linux server, so I can't use SplitCap.
tshark -o tcp.desegment_tcp_streams:false ...
> And it also doesn't seem like I can split up the files with editcap.
> Whenever I tried to do that with the large pcap files, I got empty output
> files (24 bytes) instead. I'm not sure if it was due to the large file size.
That's odd. If you can reproduce consistently (and perhaps with a
smaller capture) please file a bug.
Cheers,
Evan