One time I been given numbers of very large pcap files, ask me to do some analysis on http traffics. The given pcap is raw traffics pcap capture from servers, most of the packets in the pcap for me is redundant, because I am only interested in http traffics.
Opening a large pcap with wireshark is killing me, as it takes time to arrage the packet’s info into the GUI, And I have numbers of large pcap for me to analyse, also I required to open multiple instance of wireshark to compare them, that will definitely slow down my system because it will be eating too much resources.
So how? I am so desperate on this.
First, I fire up my command line wireshark – tshark. I pass my ‘Display filters’ to tshark and ask it to rip only the http traffics for me into an output pcap file.
tshark -r server_10_0_0_17_20100401.pcap -R "tcp.srcport==80" -w http_10_0_0_17_20100401.pcap
tshark will read the pcap by using -r. I specify DISPLAY FILTER by using -R. At last I define my output pcap by using -w.
As simple as that, now I am happy with it.
There are more to discover what tshark capable of, feel free to check out the manuals.