Wireshark mailing list archives

Re: Tshark Filter to create new smaller PCAP

From: Wes <wes_r () yahoo com>
Date: Tue, 29 Nov 2011 14:19:27 -0800 (PST)

George,

tshark -h is probably easier to understand than the man page, but try something like this:

tshark -R ip.addr==1.1.1.1 -r test.pcap -w testout.pcap

Wes

--- On Tue, 11/29/11, George Vandelet <george_vandelet () yahoo com> wrote:

From: George Vandelet <george_vandelet () yahoo com>
Subject: [Wireshark-users] Tshark Filter to create new smaller PCAP
To: "Wireshark" <wireshark-users () wireshark org>
Date: Tuesday, November 29, 2011, 4:56 PM

Super Users.
I have a PCAP file that is over 100M.  I wish to open it but my GUI version of Wireshark 32.0.0_ofc14 but it crashes 
each time I try to open it.  I have heard that one can use Tshark to open huge PCAP files then perform a filter to 
focus in on the type of traffic and then save the results to a different PCAP file.  Hopefully the new PCAP file will 
be smaller than the original and I can open it with the GUI version of Wireshark.  

The man page for Tshark is too cryptic for me.  I am hoping that someone has done this before and can guide me to which 
options I need to choose on the TSHARK command to achieve what I want.  I would prefer to filter on a MAC address but 
can filter on an IP address. 

Can
 someone provide me with an example Tshark command that I could use to accomplish this?
Lets assume the following:    test.pcap - is the name of the original file that is huge
    my filter criteria is either an IP address of 1.1.1.1 or a MAC is 01:01:01:01:01:01    testout.pcap - is the name 
of the file I wish to make using one of the above filters that hopefully will contain only a small amount of packets 
and result in a PCAP file that I can open with the GUI version of Wireshark.
Thanks,
George
 
-----Inline Attachment Follows-----

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Tshark Filter to create new smaller PCAP George Vandelet (Nov 29)
- Re: Tshark Filter to create new smaller PCAP Wes (Nov 29)
  - Re: Tshark Filter to create new smaller PCAP j.snelders (Nov 29)