Ideally we would like our dealers to perform one or all when running the wireshark capture and uploading to us:
1. Apply some type of capture filter to reduce the amount of data captured.  For example, “udp” as a capture filter would get all SIP and RTP/RTCP messages.
2. Make use of dumpcap and rotating output files to create a larger number of files for the packet capture. See this kb article on using dumpcap.

With those ideas in mind, note that the Wireshark installer also contains a few command line tools that can process pcap files without opening Wireshark (thus no packet analysis) hopefully reducing the size of the file to a manageable level.

The “Internal” section of this web page lists the tools included with Wireshark, and provides a link to the man page for the packet captures. A few examples:

How many packets in a single file?

C:\Temp\pcap> "\Program Files\Wireshark\capinfos.exe" -c bestbuy.pcap

File name:           bestbuy.pcap

Number of packets:   181967

Split into files of 70,000 frames.  Note the need to specify the output file name:

C:\Temp\pcap> "\Program Files\Wireshark\editcap.exe" -c 70000 bestbuy.pcap bestbuy.pcap

C:\Temp\pcap> dir

Directory of C:\Temp\pcap

05/15/2014  10:04 AM    <DIR>          .

05/15/2014  10:04 AM    <DIR>          ..

05/15/2014  09:26 AM        20,480,092 bestbuy.pcap

05/15/2014  10:04 AM         7,920,300 bestbuy_00000_20140120201344.pcap

05/15/2014  10:04 AM         7,856,192 bestbuy_00001_20140120202328.pcap

05/15/2014  10:04 AM         4,704,120 bestbuy_00002_20140120203251.pcap

               4 File(s)     40,960,704 bytes

               2 Dir(s)  266,120,671,232 bytes free

Get the start time of all files starting with “bestbuy_” Note that the times in the file are based on UTC time stamps, so they’ll display the time on YOUR machine. If it’s in a different timezone than the machine that the pcap is from then the offset may differ from the description provided by the dealer.  Also note that if the file is captured in a circular manner by dumpcap, there is a timestamp in the filename:

C:\Temp\pcap> "\Program Files\Wireshark\capinfos.exe" -a bestbuy_*

File name:           bestbuy_00000_20140120201344.pcap

Start time:          Mon Jan 20 20:13:44 2014

File name:           bestbuy_00001_20140120202328.pcap

Start time:          Mon Jan 20 20:23:28 2014

File name:           bestbuy_00002_20140120203251.pcap

Start time:          Mon Jan 20 20:32:51 2014

Combine files “bestbuy_00000_20140120201344.pcap” and “bestbuy_00001_20140120202328.pcap”

C:\Temp\pcap> "\Program Files\Wireshark\mergecap.exe" -w bestby_merge.pcap bestbuy_00000_20140120201344.pcap bestbuy_00000_20140120201344.pcap

C:\Temp\pcap> dir

Volume in drive C has no label.

Volume Serial Number is 6652-A6BF

Directory of C:\Temp\pcap

05/15/2014  10:30 AM    <DIR>          .

05/15/2014  10:30 AM    <DIR>          ..

05/15/2014  09:26 AM        20,480,092 bestbuy.pcap

05/15/2014  10:04 AM         7,920,300 bestbuy_00000_20140120201344.pcap

05/15/2014  10:04 AM         7,856,192 bestbuy_00001_20140120202328.pcap

05/15/2014  10:04 AM         4,704,120 bestbuy_00002_20140120203251.pcap

05/15/2014  10:30 AM        15,840,272 bestby_merge.pcap

               5 File(s)     56,800,976 bytes

               2 Dir(s)  266,102,218,752 bytes free 

Tshark can be used to filter files using a display filter. The following example will work to display only REGISTER messages and their response(s).  Note that we are using the –R switch for the filter.  The mainpage mentions a –Y switch to be used for single pass filtering, but it is not available in tshark on our test system.  Your mileage may vary in that respect:

C:\Temp\pcap> "\Program Files\Wireshark\tshark.exe" -r bestbuy.pcap -R "sip.CSeq.method == \"REGISTER\"" -w best_by_REGISTER_packets.pcap