managing large trace files with editcap

Managing Large Traces With editcap So how does one work with a 1,2,5 or 10 GB trace file in Wireshark? In most cases, you just don’t 😉 I honestly don’t believe that Wireshark was ever built to handle trace files of that size. You have several options,

• go buy a third party application that would do all your reporting for you
• make a smaller trace file In previous videos I have shown you how to slice and split trace files using editcap (https://www.networkdatapedia.com/post/2011/07/19/using-wiresharks-editcap-to-reduce-your-trace-file-size). In this video I show you how you can use display filters with tshark to reduce your trace file size. When you get really comfortable with thsark, you’ll use a variety of these techniques and end up with a manageable trace file. Not only are smaller trace files quicker to load, in many cases you will probably see a pattern that was not evident with all the other noise around it. Hope it helps you out, have a great day. ... https://www.youtube.com/watch?v=u6_pCYC1F14