EDITCAP very useful wireshark command

[pmhaynes]

I recently had a need to open a 30gb pcap file.
The usual intermitant call issues so i had to start a new trace everyday so the file didnt get to large
Well sods law, the issue happens over the weekend so the pcap file had reached 30gb
trying to open that size file in wiresahrk caused it to crash
Even if it did open wireshark, it would be incredably slow
As we knew the time and date when the issue occured we wanted to filter the capture to that period
But as i could not open the file, i could not filter it

some googling later i found EDITCAP

command line utilitly built in to wireshark that allows you to do many things including extrating a time period from a pcpa file

here is my post on it

http://phonesystemhelp.info/how-to-edit-large-wireshark-files-with-editcap/

hope someone finds it useful when fault finding sip issues

P.S i know i can use the "port 5060" command to only capture signalling but i needed the voice packets in this instance

P

[sarond]

Thanks for sharing.

I do find your blog posts useful. Very handy.

[NEPhoneGuy]

If I am running a capture over any period of time I typically run the command line - tshark and use options for how big to make each capture and how many to keep.

ie 200 50meg files
-b filesize:51200 -b files:200

https://www.wireshark.org/docs/man-pages/tshark.html

[johnp]

Thanks for this info

[pmhaynes]

If I am running a capture over any period of time I typically run the command line - tshark and use options for how big to make each capture and how many to keep.

ie 200 50meg files
-b filesize:51200 -b files:200

https://www.wireshark.org/docs/man-pages/tshark.html

Thank you for the info. i will definitely take alook. I do seem to be RTM more as i get older 
Can't run this on the Mitel linux servers but definaltey useful for other servers.
Let me know if im wrong
Thanks again

[sarond]

If I am running a capture over any period of time I typically run the command line - tshark and use options for how big to make each capture and how many to keep.

ie 200 50meg files
-b filesize:51200 -b files:200

https://www.wireshark.org/docs/man-pages/tshark.html

Thank you for the info. i will definitely take alook. I do seem to be RTM more as i get older 
Can't run this on the Mitel linux servers but definaltey useful for other servers.
Let me know if im wrong
Thanks again

tcpdump can also write multiple files.
e.g. To run a tcpdump 20MB files max 50 files overwriting oldest.
tcpdump -i any -n -s0 -C 20 -W 50 -Z root -w capture.pcap

[pmhaynes]

If I am running a capture over any period of time I typically run the command line - tshark and use options for how big to make each capture and how many to keep.

ie 200 50meg files
-b filesize:51200 -b files:200

https://www.wireshark.org/docs/man-pages/tshark.html

Thank you for the info. i will definitely take alook. I do seem to be RTM more as i get older 
Can't run this on the Mitel linux servers but definaltey useful for other servers.
Let me know if im wrong
Thanks again

tcpdump can also write multiple files.
e.g. To run a tcpdump 20MB files max 50 files overwriting oldest.
tcpdump -i any -n -s0 -C 20 -W 50 -Z root -w capture.pcap

Excellant. I did use tcpdump on the older versions. did not know it could do that though. I will give it a go thank you.
Think i may  have to add mount a network share to save the files to as well.
Thanks for your help
Paul