Wireshark mailing list archives
Something like editcap?
From: Kurt Buff <kurt.buff () gmail com>
Date: Fri, 17 Jun 2011 15:59:47 -0700
All, I'm trying to troubleshoot slow web page loading at $WORK, and have three captures taken simultaneously - 1 wireshark capture at the test XP workstation, and two tcpdumps at the firewall (one for each NIC, inside and outside). I have several suspects for the root cause (our DNS servers are overloaded or toxic interactions of IPv6 with IP4v on dual stack machines are the top two), but need to get a better grip on flow and timing to (dis)confirm my thoughts. The one for the workstation is less than a megabyte, while the two for the firewall are over 25 megabyets each. I've been able to extract a set of addresses of interest, for both DNS and HTTP, but am having the Devil's own time trying to trace out the timing. I'd really like to slim down the two large cap file, and then merge them all three of them, but editcap seems only to work on packet numbers, not actual packet content. Is there a set of techniques that folks use to wade through large files like this to make it easier to see what's happening? I'm a bit of a newb at packet tracking, and haven't had time to dive into the Laura Chappell monster book, so any pointers would be much appreciated. Thanks, Kurt ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Something like editcap? Kurt Buff (Jun 17)
- Re: Something like editcap? Chris Maynard (Jun 28)