Ethereal-users: Re: [ethereal-users] Filter to extract Headers rather than the whole data-captur

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <gharris@xxxxxxxxxxxx>
Date: Wed, 14 Jun 2000 10:23:13 -0700
On Wed, Jun 14, 2000 at 12:38:12PM +0200, Tom Groeneveld wrote:
> I am analising large amounts of big trace files.
> I am not interested in the data, only in the header information.
> (IP-address, Port, etc.)
> 
> Can I aply a filter to the existing capture files which I have at the moment
> so that I can import the files more easely into other programs to analyse?

What sort of filtering do you want to do?  Discarding all but the
packets you're interested in, or discarding no packets but discarding,
in each packet, all but the header information you're interested in?

If you want to see only packets that match a particular filter, you can
do this with Tethereal:

	tethereal -r <input file> -R <display filter> -w <output file>

where "<display filter>" is a string containing an Ethereal-style
display filter specifying which packets should be in the files you want
to give to the other programs.

If you want to see all packets, but discard all but the header
information in each packet, you can do that with editcap:

	editcap -s <snapshot length> <input file> <output file>

which will throw away all data in the packet past the specified length.