tshark: perform filters to rip out a pcap from a large pcap

April 13th, 2010 mysurface Posted in Network, tshark | Hits: 216159 | 3 Comments »

One time I been given numbers of very large pcap files, ask me to do some analysis on http traffics. The given pcap is raw traffics pcap capture from servers, most of the packets in the pcap for me is redundant, because I am only interested in http traffics.

Opening a large pcap with wireshark is killing me, as it takes time to arrage the packet’s info into the GUI, And I have numbers of large pcap for me to analyse, also I required to open multiple instance of wireshark to compare them, that will definitely slow down my system because it will be eating too much resources.

So how? I am so desperate on this.

First, I fire up my command line wireshark – tshark. I pass my ‘Display filters’ to tshark and ask it to rip only the http traffics for me into an output pcap file.

tshark -r server_10_0_0_17_20100401.pcap -R "tcp.srcport==80" -w http_10_0_0_17_20100401.pcap

tshark will read the pcap by using -r. I specify DISPLAY FILTER by using -R. At last I define my output pcap by using -w.

As simple as that, now I am happy with it.

There are more to discover what tshark capable of, feel free to check out the manuals.

3 Responses to “tshark: perform filters to rip out a pcap from a large pcap”

  1. You rock!!!!! Thanks for taking the time to point this out. You saved me TONS of work/time!!! ;-)

  2. 237212 427025Hi, have you ever before asked yourself to write about Nintendo or PSP? 8927

  3. 19600 154650I believe one of your advertisings triggered my internet browser to resize, you may nicely want to put that on your blacklist. 718023

Leave a Reply