I wonder if ngrep would work for you: http://ngrep.sourceforge.net/
There are binaries for most platforms including Linux and Windows. Perhaps you could do something like this: ngrep -I input.cap -O output.cap "regex" I tried and it seems to work, although I only used a 20MB capture file. --Jim > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:wireshark-users- > [EMAIL PROTECTED] On Behalf Of Seymour Dupa > > What about 'grep'? > I used it a lot in my DOS days. I'm sure there is/are > Windows versions. It's quite powerful with many > wildcard characters and search patterns. It will do a > lot of filtering for you. > You mauy have to run it several times for the > different search parameters. > > John > > --- Guy Harris <[EMAIL PROTECTED]> wrote: > > > > > On Jan 25, 2007, at 8:23 PM, Stuart MacDonald wrote: > > > > > I've read the man pages on the tools that come > > with Wireshark. I was > > > hoping to find a tool that opens a capture, > > applies a filter and > > > outputs matching packets to a new file. Here's a > > sample run of the > > > hypothetical filtercap tool: > > > # filtercap -r very-large.eth -w > > only-infrequent.eth -f > > > "tcp.port==50000" > > > > tcpdump -r very-large.eth -w only-infrequent.eth > > tcp port 50000 > > > > That can't do arbitrary display filtering, but truly > > *arbitrary* > > display filtering has problems with reassembly > > (i.e., a filter that > > matches something in the reassembled portion of the > > packet can't match > > anything but the last packet). It also can't handle > > non-libpcap > > capture files, but given that your capture file is > > *from* tcpdump, > > it's obviously readable by tcpdump.... > > > > > > > tshark is almost the right thing, except that > > tshark also tries to > > > read in the whole capture first instead of > > processing it like editcap. > > > > No, actually, it *does* process it like editcap; > > neither it nor > > Wireshark read the entire capture file into memory. > > They *do* keep > > reassembled data in memory, but that's another > > matter. _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users