mailing list archives
Re: Running tshark on large pcap files
From: Christopher Maynard <Christopher.Maynard () gtech com>
Date: Tue, 11 Jun 2013 04:30:30 +0000 (UTC)
Anders Broman <a.broman () > writes:
- Use editcap to split the files to more manageable chunks of say 1
- 2 GiB.
- turn off TCP reassembly and all protocols you see above TCP/UDP
I don't know if the MPLS dissector has any memory consuming features
tunable by preferences. Your best bet i s probably editcap, you can
splice the resulting files back together with mergecap should you
Another possibility is splitcap: http://www.netresec.com/?page=SplitCap.
P.S. This entire thread is buried on page 3 of the gmane archives under the
30 May 2013 12:09 thread entitled, "Editcap 1.2.15 not working", which
itself is incorrectly threaded under the 30 Jan 2013 11:11 thread entitled,
"Understanding SMB flow in Wireshark", all of which were started by Rayne.
Please start a new message/thread instead of replying to old threads and
changing the subject line.
Sent via: Wireshark-users mailing list <wireshark-users () wireshark org>
mailto:wireshark-users-request () wireshark org?subject=unsubscribe