Managing Large Wireshark Traces With editcap

So how does one work with a 1,2,5 or 10 GB trace file in Wireshark? In most cases, you just don’t 😉

I honestly don’t believe that Wireshark was ever built to handle trace files of that size.

You have several options,

- go buy a third-party application that will do all your reporting for you

- make a smaller trace file

In previous videos, I have shown you how to slice and split trace files using editcap (https://www.networkdatapedia.com/post/2011/07/19/using-wiresharks-editcap-to-reduce-your-trace-file-size).

In this video, I show you how you can use display filters with tshark to reduce your trace file size.

When you get really comfortable with tshark, you’ll use a variety of these techniques and end up with a manageable trace file. Not only are smaller trace files quicker to load, in many cases you will probably see a pattern that was not evident with all the other noise around it.

Hope it helps you out, have a great day.