While looking for an evasive SIP Gateway related problem I used wireshark to collect additional traffic. Unfortunatly once I had taken the wirshark capture file (which had grown to almost 2 GB) to my laptop for analyzing I found that it lacked sufficient memory to load this enormous capture file.
I found that wirshark shipped with tools that have the ability to split the capture to a manageable size. How does it work?

You can split the capture file as follows:-

1. From CMD Navigate to c:\Progran Files\Wireshark
 
2. Run the command: capinfos -c c:\xxxxx.pcap – Where xxxxx.pcap is your capture file
 
3.  This will give you the number of packets in the trace so can decide how to split the file. Only 290 packets in my screenshot 🙂
 
 
4. Run the command: editcap -c 400000 c:\xxxxx.pcap c:\splittrace.pcap – Where 400000 is the number of packets in each output split segment, and the source and destination files are mentioned next
5. You will now have as many files as required to complete the split, they will be called what you stated as the dest file above followed by -0000, -0001 etc
Advertisements