Home page logo

wireshark logo Wireshark mailing list archives

Re: Running tshark on large pcap files
From: Christopher Maynard <Christopher.Maynard () gtech com>
Date: Tue, 11 Jun 2013 04:30:30 +0000 (UTC)

Anders Broman <a.broman ()    > writes:

    Possible workarounds:
    - Use editcap to split the files to more manageable chunks of say 1
    - 2 GiB.
    - turn off TCP reassembly and all protocols you see above TCP/UDP
    I don't know if the MPLS dissector has any memory consuming features
    tunable by preferences. Your best bet i s probably editcap, you can
    splice the resulting files back together with mergecap should you
    need it.

Another possibility is splitcap: http://www.netresec.com/?page=SplitCap. 
- Chris

P.S. This entire thread is buried on page 3 of the gmane archives under the
30 May 2013 12:09 thread entitled, "Editcap 1.2.15 not working", which
itself is incorrectly threaded under the 30 Jan 2013 11:11 thread entitled,
"Understanding SMB flow in Wireshark", all of which were started by Rayne. 
Please start a new message/thread instead of replying to old threads and
changing the subject line.

Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]