This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

problem in opening large size wireshark file

0

Hi,

I have a file captured as tcpdump which is the network traffic for about 1 Hour and the file size is about 1G. When I want to open the file using wireshark it takes long time and at the end via error message wireshark will be closed.

Do you have any solution to open the whole file? Can I open it if I have a PC with higher RAM?

Best regards

asked 19 Feb '13, 03:50

MGBRU's gravatar image

MGBRU
11112
accept rate: 0%


One Answer:

3

A trace file on 1G is big, wireshark keeps track of several things while dissecting, so you will need a multiple of 1G of memory to be able to read the file. All filtering actions will also become very slow. I usually keep 100MB as a maximum for trace files, but it all depends on the HW of the system on which you do your analysis.

What options do you have?

  1. Split the file in a number of files, this can be done with editcap (which is included with wireshark) and then analyze the smaller files one-by-one
  2. Pre-filter the file on a time range, this can also be done by editcap
  3. Pre-filter the file on a specific host:
  4. this can be done with tshark -r <file> -w <newfile> -R "ip.addr==x.x.x.x", although tshark might also run out-of-memory here
  5. this can be done by tcpdump (on linux, osx etc) or windump (on windows) with: tcpdump -r <file> -w <newfile> "host x.x.x.x"
  6. Use a program like "Riverbed Pilot" (commercial software) to index the file and do some of the analysis on the indices and then zoom in the packets you really need to see in detail with wireshark.

answered 19 Feb '13, 04:25

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%