Wireshark-users: [Wireshark-users] Filtering a very large capture file
From: "Stuart MacDonald" <stuartm@xxxxxxxxxxxxxxx>
Date: Thu, 25 Jan 2007 23:23:43 -0500
I have a very large capture file from tcpdump, 16 Gb. Wireshark
crashes trying to open it, a known issue.

For some of my investigation I used editcap and split it into smaller
captures, and that worked okay, but there were 1000 of them and each
is still slow to load/filter/etc; the size ranges from 14 to 28 Mb.

I need to locate a small handful of packets within the large capture;
there's some infrequent traffic I'm interested in. It's not feasible
for me to open, apply display filter, close, each of the 1000 smaller
files. I estimate it would take about 20 hours to do a brute force
search.

I've read the man pages on the tools that come with Wireshark. I was
hoping to find a tool that opens a capture, applies a filter and
outputs matching packets to a new file. Here's a sample run of the
hypothetical filtercap tool:
# filtercap -r very-large.eth -w only-infrequent.eth -f "tcp.port==50000"

I can't quite seem to get this functionality from the tools provided.
editcap is almost the right thing, except that instead of taking a
general filter it is restricted to filtering on frame numbers or time.
tshark is almost the right thing, except that tshark also tries to
read in the whole capture first instead of processing it like editcap.

Is there any way for me to achieve "filtercap" functionality? Not
coincidentally the above example is exactly what I need to do, only
the filenames and port numbers have been changed to protect the
guilty.

..Stu