This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

wireshark on android: wireshark can’t postprocess tPacketCapture

0

I have installed tPacketCapture on my Android phone (Nexus Phone Android kitkat). I transferred the file to my laptop and launched wireshark. Wireshark was consuming all the availlabe RAM (more than 6GB) when loading a 27MB file. I had to kill the wireshark process. Anyone aware of this issue? And do you know if tPacketCapture works properly.. when it does not crash wireshark?

asked 03 Dec '13, 12:41

pierre0001's gravatar image

pierre0001
11112
accept rate: 0%


One Answer:

0

do you know if tPacketCapture works properly.. when it does not crash wireshark?

No, but others seem to have had success. Search for tag 'android' on this site.

It may be that you've encountered a wireshark bug.

To help diagnose the issue (and obtain a capture file small enough to attach to a wireshark bug report), please do the following:

  1. On your PC: Use capinfos (from the commandline) to get info about the capture file;
  2. (If the file is read OK) determine the number of packets in the file from the capinfos output.
  3. Split the file into two parts using editcap (See below).
  4. Open, in turn, each of the two files with Wireshark. (Hopefully) one of the files will still show the problem.
  5. Repeat steps 1-4 on the bad file and etc until you've a (bad) file of manageable size (or until the issue no longer occurs).
  6. Submit a Wireshark bug report at bugs.wireshark.org and attach the smallest bad file obtained (hopefully under 1 Meg). You can mark the bug as private if the capture file contains private data. (Click on advanced fields in the bug report).

    Commands:

    capinfos filename

    editcap -c n filename split-filename // 'n' is the number of packets to split by

answered 03 Dec '13, 14:32

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

edited 03 Dec '13, 14:44