Also if you cannot run Wireshark for whatever reason (no GUI interface, not enough memory to process the large file), you still have an option.įirst you need to do a dump of the packets using the "-x" argument. Now at this point I have to say that wireshark may be able to "Export Specified Packets", it will work for the NetScaler trace but its grayed out for the Microsoft trace. $ tshark -r windows.cap -Y "tcp.port = 443" -w windows.pcapįigure 2b - tshark reading a file written by the Microsoft Message Analyzer Tshark: The capture file being read can't be written as a "pcapng" file.įigure 2a - tshark reading a netscaler file So t makes sense to try to extract only the packets that you are interested in and write them to a new file. $ time tshark -r netscaler.cap -Y "tcp.port = 50340" | wc -lįigure 1 - large file and the time needed to count frames in 1 TCP stream In figure 1 it took over 2 minutes to count 21 frames in an 800 megabyte file. tshark: The capture file being read can't be written as a "pcapng" file.Īnalyzing a large trace files can take time. Tshark: The capture file being read can't be written as a "pcapng" file.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |