Run tshark -h on the command line to see all the available options. The following option can help you to create the smaller pcap file.
-s <snaplen> packet snapshot length (def: appropriate maximum)
So, there are two ways to use this command:
1. Use it with tshark like this: $ sudo tshark -i eth2 -s 64 -w temp1.pcap
2. If you already created pcap file, you can run editcap command to shrink the packet size. Run this command: $ editcap -s 64 -F pcap largepcap.pcap shortcapture.pcap
By changing the value of -s option, you can reduce the size further. I was able to shrink 900mb file to 2.4mb.
Other options you might be interested in are as follows:
- To delete packet 1000 from the capture file use:
editcap largecapture.pcap sans1000.pcap 1000
- To limit a capture file to packets from number 200 to 750 (inclusive) use:
editcap -r largecapture.pcap small.pcap 200-750
- To get all packets from number 1-500 (inclusive) use:
editcap -r largecapture.pcap first500.pcap 1-500
or
editcap largecapture.pcap first500.pcap 501-9999999
- To exclude packets 1, 5, 10 to 20 and 30 to 40 from the new file use:
editcap largecapture.pcap exclude.pcap 1 5 10-20 30-40
- To select just packets 1, 5, 10 to 20 and 30 to 40 for the new file use:
editcap -r largecapture.pcap select.pcap 1 5 10-20 30-40
- To remove duplicate packets seen within the prior four frames use:
editcap -d largecapture.pcap smallcapture.pcap
- To remove duplicate packets seen within the prior 100 frames use:
editcap -D 101 largecapture.pcap smallcapture.pcap
- To remove duplicate packets seen equal to or less than 1/10th of a second:
editcap -w 0.1 largecapture.pcap smallcapture.pcap
