I have a Pcap file with a rather big size. I just want to read one packet in this file, for example, the 10th packet.
I have a tshark command like this:
tshark -r myfile.pcap frame.number == 10 -V
The command will continue searching the entire file even when it finds the 10th packet. That takes a long time.
I prefer to stop the command when it finds the packet, how can i do that?
Thank you for any suggestion.
editcap (part of the wireshark package) can be used to extract one or more specific frames from a pcap file to a new pcap file.
You can then run tshark on the new file. (This is a two-step process but for large pcap files it will take less time than tshark will take to read the whole file).
Usage: editcap [options] ... <infile> <outfile> [ <packet#>[-<packet#>] ... ]
Packet selection:
-r keep the selected packets; default is to delete them.
See editcap -h for the complete list of editcap options.
