Super Users.
I have a PCAP file that is over 100M. I wish to open it but my GUI version of Wireshark 32.0.0_ofc14 but it crashes each time I try to open it. I have heard that one can use Tshark to open huge PCAP files then perform a filter to focus in on the type of traffic and then save the results to a different PCAP file. Hopefully the new PCAP file will be smaller than the original and I can open it with the GUI version of Wireshark.
The man page for Tshark is too cryptic for me. I am hoping that someone has done this before and can guide me to which options I need to choose on the TSHARK command to achieve what I want. I would prefer to filter on a MAC address but can filter on an IP address.
Can
someone provide me with an example Tshark command that I could use to accomplish this?
Lets assume the following:
test.pcap - is the name of the original file that is huge
my filter criteria is either an IP address of 1.1.1.1 or a MAC is 01:01:01:01:01:01
testout.pcap - is the name of the file I wish to make using one of the above filters that hopefully will contain only a small amount of packets and result in a PCAP file that I can open with the GUI version of Wireshark.
Thanks,
George
