wireshark would crash trying to load the file(around 375 MB).
You start thinking 'why did the client not capture packets only when the problem occured?'.
But, I quickly realised that tcpdump can be used with the capture file as input and filters can be applied to extract packets of our interest.
In this case I was interested in packets that had a particular ip address. So used the below command to extracted those packets into another pcap file.
tcpdump -r [largefile.pcap]
And now I have a pcap file that wireshark can load so that I can take a good look at what is happening.
No comments:
Post a Comment