Tcpdump: Shrink pcap File By Reducing Snaplen
I used tcpdump
to capture some traffic, but then realized that I didn’t need any of the application layer payload, but just the headers. The problem was that I had already done the capturing, and I had these huge pcap files taking up the precious space on my machine. What I first tried was using tcpdump
to read the file and dump it, with a smaller snaplen: tcpdump -s 96 -r in.cap -w smaller.cap
. That does not seem to change the snaplen, however. The solution I found is to use editcap
, as described here:
https://www.wireshark.org/docs/man-pages/editcap.html
The second example in the manual was what I was looking for. This did the trick:
|
|