This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

file too large to open or corrupt?

0

Been troubleshooting a potential problem with a device that happens randomly. So I've been forced to capture almost 8 hours a day.

The incident I was trying to record happened within the last few minutes of the day as I was about to leave/stop capturing for the day. So I have this 1.5gb cap. However when I try to open the file so I can run a filter, wireshark crashes. So having an FML moment.

Wireshark crashes at 86% on windows xp with this error: GLib-ERROR **: gmem.c:170: failed to allocate 81021638 bytes aborting...

When I click OK, I get a C++ Runtime Error and then wireshark closes after that.

I'm not sure what the difference would be, but I tried opening the .cap on windows server 2008 and I do not get glib error, only runtime error and it still crashes, except this time at 94%

I've tried multiple times and it always crashes at the same percentage on each machine.

Truthfully, I think I only need the last 4% or 5% or this cap anyway. The capture was recorded via my firewall (pfsense). Is there anything I can do?

asked 16 Jul '13, 09:47

RobbieRobski's gravatar image

RobbieRobski
11224
accept rate: 0%


2 Answers:

2

Yes. Split the file in smaller files, using the command line tool editcap with the -c parameter, which will tell editcap how many frames per file you want. Then work with the smaller files. Editcap is installed together with Wireshark and can be found in the same directory.

The issue you're experiencing is a quite common problem. See the following pages:

http://wiki.wireshark.org/KnownBugs/OutOfMemory

http://blog.packet-foo.com/2013/05/the-notorious-wireshark-out-of-memory-problem/

answered 16 Jul '13, 09:54

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 16 Jul '13, 09:55

Thanks, I guess that's what I get for still having only 4GB ram.

I was able to open it on a different workstation.

(16 Jul '13, 10:10) RobbieRobski

1

The issue is likely to be an out of memory problem, see the Wiki page on Out Of Memory. The page offers a number of solutions, your best options would be to try a 64 bit version of Wireshark on a 64 bit OS, or use editcap (found in the same directory as the Wireshark binary) with the -c option to break the capture file into smaller chunks.

You can use capinfos to test if the file is corrupt.

answered 16 Jul '13, 09:59

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%