Re: [Wireshark-users] Filtering a very large capture file

2007-01-26 Thread Stuart MacDonald
From: On Behalf Of Jeff Morriss What about: - split the files into 1000 smaller files - use a (decent) shell with tshark to process those files with tshark The latter could be achieved in a Korn style shell with something like: (for f in *.eth do tshark -r $f -w - -R

Re: [Wireshark-users] Filtering a very large capture file

2007-01-26 Thread Stuart MacDonald
From: Stuart MacDonald [mailto:[EMAIL PROTECTED] I don't think the documentation mentions '-' is supported for -w. Cancel that, I just missed it last night. It was late. ..Stu ___ Wireshark-users mailing list Wireshark-users@wireshark.org

Re: [Wireshark-users] Filtering a very large capture file

2007-01-26 Thread Stuart MacDonald
From: On Behalf Of Guy Harris On Jan 25, 2007, at 8:23 PM, Stuart MacDonald wrote: I've read the man pages on the tools that come with Wireshark. I was hoping to find a tool that opens a capture, applies a filter and outputs matching packets to a new file. Here's a sample run of the

Re: [Wireshark-users] Filtering a very large capture file

2007-01-26 Thread Seymour Dupa
What about 'grep'? I used it a lot in my DOS days. I'm sure there is/are Windows versions. It's quite powerful with many wildcard characters and search patterns. It will do a lot of filtering for you. You mauy have to run it several times for the different search parameters. John --- Guy

Re: [Wireshark-users] Filtering a very large capture file

2007-01-26 Thread Small, James
I wonder if ngrep would work for you: http://ngrep.sourceforge.net/ There are binaries for most platforms including Linux and Windows. Perhaps you could do something like this: ngrep -I input.cap -O output.cap regex I tried and it seems to work, although I only used a 20MB capture file. --Jim

Re: [Wireshark-users] Filtering a very large capture file

2007-01-26 Thread Stuart MacDonald
From: On Behalf Of Small, James I wonder if ngrep would work for you: http://ngrep.sourceforge.net/ Nifty! I bet it would, but the tcpdump solution earlier has worked for me. Thanks though! ..Stu ___ Wireshark-users mailing list

Re: [Wireshark-users] Filtering a very large capture file

2007-01-26 Thread Seymour Dupa
Can it be exported as text? --- Stuart MacDonald [EMAIL PROTECTED] wrote: From: On Behalf Of Seymour Dupa What about 'grep'? The capture is libpcap format. grep would need to understand network packets to be at all effective. This is not a simple line from a text file situation.

Re: [Wireshark-users] Filtering a very large capture file

2007-01-26 Thread Luis Ontanon
On 1/26/07, Seymour Dupa [EMAIL PROTECTED] wrote: Can it be exported as text? Yes you could but either you loose most of the information having each packet in a single line or you have the whole tree and the data pane that spans several lines where grep is not good anymore. BTW to have it

Re: [Wireshark-users] Filtering a very large capture file

2007-01-26 Thread Seymour Dupa
Wish I had a job where I'd get paid to learn and use Wireshark. John --- Luis Ontanon [EMAIL PROTECTED] wrote: On 1/26/07, Seymour Dupa [EMAIL PROTECTED] wrote: Can it be exported as text? Yes you could but either you loose most of the information having each packet in a single line or