Wireshark-users: [Wireshark-users] Something like editcap?
From: Kurt Buff <kurt.buff@xxxxxxxxx>
Date: Fri, 17 Jun 2011 15:59:47 -0700
All,

I'm trying to troubleshoot slow web page loading at $WORK, and have
three captures taken simultaneously - 1 wireshark capture at the test
XP workstation, and two tcpdumps at the firewall (one for each NIC,
inside and outside).

I have several suspects for the root cause (our DNS servers are
overloaded or toxic interactions of IPv6 with IP4v on dual stack
machines are the top two), but need to get a better grip on flow and
timing to (dis)confirm my thoughts.

The one for the workstation is less than a megabyte, while the two for
the firewall are over 25 megabyets each.

I've been able to extract a set of addresses of interest, for both DNS
and HTTP, but am having the Devil's own time trying to trace out the
timing.

I'd really like to slim down the two large cap file, and then merge
them all three of them, but editcap seems only to work on packet
numbers, not actual packet content.

Is there a set of techniques that folks use to wade through large
files like this to make it easier to see what's happening?

I'm a bit of a newb at packet tracking, and haven't had time to dive
into the Laura Chappell monster book, so any pointers would be much
appreciated.

Thanks,

Kurt