如何截断捕获.cap文件中的冗余数据？ [英] How to truncate redundant data out of a capture .cap file?

问题描述

嗨。

我正在解决客户端网络应用程序上的问题，其中，间歇性地，浏览器显示"Internet Explorer无法显示此网页"。类型错误。  我们怀疑网络问题可能导致TCP会话不完整。

I'm troubleshooting an issue on a client's web application where, intermittently, the browser displays an "internet explorer cannot display this webpage" type error.  We suspect network issues may be resulting in incomplete TCP conversations.

由于问题是间歇性的，难以按需复制，我开始捕获并等待用户报告错误消息再次出现。  因此，我有一个.cap文件，其中包含从10am
到3pm的捕获的网络流量数据，这足够大，以至于当我使用.cap文件时NM34的响应速度很慢。  

Because the problem is intermittent and difficult to reproduce on demand, I started a capture and waited for a user to report that the error message had appeared again.  As a result, I have a .cap file containing captured network traffic data from 10am to 3pm, which is large enough that NM34 is slow to respond while I'm working with the .cap file.  

我尝试过（例如）使用如下显示过滤器：

I have tried (for example) using a display filter like:

tcp.port == 443
OR
Payloadheader.LowerProtocol.port == 443

然后根据同事的建议保存过滤后的输出，这样会给我包含的.cap文件只是我原始数据的一个子集。  我发现即使这样做，我的文件仍然有相同的（130万）帧数，
，数据文件大小仍然高达900MB左右。

and then saving the filtered output as per a colleagues recommendation that this would give me .cap file that contained only a subset of my original data.  I find that even after doing this, I still have the same (1.3 million) frame count in my file, and the datafile size is still up around 900MB.

提前致谢，

Nathan

推荐答案

保存文件时，必须选择（显示的帧），否则默认保存所有捕获的帧。

When you save the file, you have to select (Displayed Frames), or it will by default save all captured frames.

谢谢，

保罗

这篇关于如何截断捕获.cap文件中的冗余数据？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！