editcap does allow you to specify packet number or packet number range. I do know that if you load it into Wireshark, you WILL see a packet number in the leftmost column, but since you're talking about a 100Gb file I did not want to suggest you load it into Wireshark (maybe Wireshark on a Linux server can deal with that? Dunno.)Īnyways, I came across editcap, which I have not used in the past but is a command-line tool that is part of Wireshark. I'm starting to think that the pcap output file does NOT include a packet number? I was somewhat surprised to see that the tcpdump man page and docs do not include any mention of packet number, which I would have thought it would for use with the -r option (reading from pcap file). You pose a very interesting question (at least to me!), so I started researching for an answer. ![]() > 192.168.: sctp (1) Īs of Wireshark 2.6.0 Release, you can use the membership operator for range like frame.number in " -w new.pcap
0 Comments
Leave a Reply. |