I captured a really big tcpdump file which now always crashes my wireshark. It was captured with no filters and I need to apply some afterwards to make the file smaller.
Is this somehow possible?
Asked
Active
Viewed 1.3k times
2 Answers
17
Yes, it is possible. You can use the following command:
tcpdump -r your_input_file.pcap -w your_output_file.pcap "your_filter"
Tcpdump will read the input file, apply the filter, and then write the output file. You need just to come up with the right filter.
Khaled
- 36,533
- 8
- 72
- 99
1
Try netsniff-ng, it sequentially processes the pcap unlike Wireshark, which tries to load everything into RAM.
Jens Meier
- 11
- 1