What about 'grep'? I used it a lot in my DOS days. I'm sure there is/are Windows versions. It's quite powerful with many wildcard characters and search patterns. It will do a lot of filtering for you. You mauy have to run it several times for the different search parameters.
John --- Guy Harris <[EMAIL PROTECTED]> wrote: > > On Jan 25, 2007, at 8:23 PM, Stuart MacDonald wrote: > > > I've read the man pages on the tools that come > with Wireshark. I was > > hoping to find a tool that opens a capture, > applies a filter and > > outputs matching packets to a new file. Here's a > sample run of the > > hypothetical filtercap tool: > > # filtercap -r very-large.eth -w > only-infrequent.eth -f > > "tcp.port==50000" > > tcpdump -r very-large.eth -w only-infrequent.eth > tcp port 50000 > > That can't do arbitrary display filtering, but truly > *arbitrary* > display filtering has problems with reassembly > (i.e., a filter that > matches something in the reassembled portion of the > packet can't match > anything but the last packet). It also can't handle > non-libpcap > capture files, but given that your capture file is > *from* tcpdump, > it's obviously readable by tcpdump.... > > > > tshark is almost the right thing, except that > tshark also tries to > > read in the whole capture first instead of > processing it like editcap. > > No, actually, it *does* process it like editcap; > neither it nor > Wireshark read the entire capture file into memory. > They *do* keep > reassembled data in memory, but that's another > matter. > _______________________________________________ > Wireshark-users mailing list > Wireshark-users@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-users > Endings must come before new beginnings. _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users