This can be used as a substitute for Wireshark if you enjoy working on a black screen.
To remove duplicate packets seen equal to or less than 1/10th of a second:Įditcap -w 0.1 largecapture.pcap smallcapture.Tshark is a command-line-based protocol analyzer tool used to capture and analyze network traffic from a live network. To remove duplicate packets seen within the prior 100 frames use:Įditcap -D 101 largecapture.pcap smallcapture.pcap. To remove duplicate packets seen within the prior four frames use:Įditcap -d largecapture.pcap smallcapture.pcap. To select just packets 1, 5, 10 to 20 and 30 to 40 for the new file use:Įditcap -r largecapture.pcap select.pcap 1 5 10-20 30-40. To exclude packets 1, 5, 10 to 20 and 30 to 40 from the new file use:Įditcap largecapture.pcap exclude.pcap 1 5 10-20 30-40. To get all packets from number 1-500 (inclusive) use:Įditcap -r largecapture.pcap first500.pcap 1-500Įditcap largecapture.pcap first500.pcap 501-9999999. To limit a capture file to packets from number 200 to 750 (inclusive) use:Įditcap -r largecapture.pcap small.pcap 200-750. To delete packet 1000 from the capture file use:Įditcap largecapture.pcap sans1000.pcap 1000. Other options you might be interested in are as follows: I was able to shrink 900mb file to 2.4mb. pcapīy changing the value of -s option, you can reduce the size further. Run this command: $ editcap -s 64 -F pcap largepcap. If you already created pcap file, you can run editcap command to shrink the packet size. 
Use it with tshark like this: $ sudo tshark - i eth2 -s 64 -w temp1.pcapĢ. So, there are two ways to use this command:ġ. s packet snapshot length (def: appropriate maximum)
The following option can help you to create the smaller pcap file. Run tshark -h on the command line to see all the available options.
0 kommentar(er)
