Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Ethereal sniffing problem

I have collected about 300 Megs worth of .pcap data with ethereal (ver 0.99)via SPAN on 3550.

Is there a way to split this file down to smaller managable parts so winxppro can read it without crashing?

Ethereal has options to do this while sniffing; it was flaky- so I had to let the sniff run for 3 days.


Re: Ethereal sniffing problem


you could try to use editcap (in the Ethereal directory), which, according to its description, should do what you need:

"Editcap is a program that reads some or all of the captured packets from the infile, optionally converts them in various ways and writes the resulting packets to the capture outfile (or outfiles).

By default, it reads all packets from the infile and writes them to the outfile in libpcap file format.

A list of packet numbers can be specified on the command line; ranges of packet numbers can be specified as start-end, referring to all packets from start to end. The selected packets with those numbers will not be written to the capture file. If the -r flag is specified, the whole packet selection is reversed; in that case only the selected packets will be written to the capture file."

Hope this helps! Please rate all posts.

Regards, Martin

New Member

Re: Ethereal sniffing problem


You might also try collecting your original trace with "t"ethereal instead of ethereal. Tethereal has worked very well for me when creating multi-file captures.