Ethereal sniffing problem

william.grace · ‎05-17-2006

I have collected about 300 Megs worth of .pcap data with ethereal (ver 0.99)via SPAN on 3550.

Is there a way to split this file down to smaller managable parts so winxppro can read it without crashing?

Ethereal has options to do this while sniffing; it was flaky- so I had to let the sniff run for 3 days.

mheusinger · ‎05-18-2006

Hello,

you could try to use editcap (in the Ethereal directory), which, according to its description, should do what you need:

"Editcap is a program that reads some or all of the captured packets from the infile, optionally converts them in various ways and writes the resulting packets to the capture outfile (or outfiles).

By default, it reads all packets from the infile and writes them to the outfile in libpcap file format.

A list of packet numbers can be specified on the command line; ranges of packet numbers can be specified as start-end, referring to all packets from start to end. The selected packets with those numbers will not be written to the capture file. If the -r flag is specified, the whole packet selection is reversed; in that case only the selected packets will be written to the capture file."

Hope this helps! Please rate all posts.

Regards, Martin

nleachman · ‎06-07-2006

Hi,

You might also try collecting your original trace with "t"ethereal instead of ethereal. Tethereal has worked very well for me when creating multi-file captures.

Regards,

Nick