This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Why can’t I open a large file?

0

I am using Wireshark version 1.8, newly installed. Wireshark is crashing when trying to open a 400MB file. It gets to roughly 47%, then dies.

I get a Microsoft Visual C++ Runtime library error.

asked 07 Aug '12, 10:37

drumhrd's gravatar image

drumhrd
1111
accept rate: 0%

edited 07 Aug '12, 14:02

multipleinterfaces's gravatar image

multipleinte...
1.3k152340


One Answer:

2

Use the command line tool editcap to split the large file into smaller files. Editcap was installed when you installed Wireshark. Even if you could open the 400 MB file, you would find it difficult to work with because of its size. In particular, applying and clearing display filters would take a very long time.

You can find the editcap syntax by clicking on Help > Manual Pages > Editcap from within Wireshark.

answered 07 Aug '12, 10:58

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

Wireshark is /probably/ dying because it's running out of memory. See OutOfMemory.

Note that it's not uncommon for me to analyze 400 Mb capture files but I have a 64-bit OS (and 64-bit Wireshark) and lots of RAM. (Note here too that there have been reports that 64-bit Wireshark on 64-bit Windows is NOT able to actually take advantage of lots of RAM; I think there's a bug report about that.)

(08 Aug '12, 06:45) JeffMorriss ♦
(08 Aug '12, 07:25) Kurt Knochner ♦