This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Loading more than 1GB PCAP file

0

Hi

I am not able to load more than 1 GB PCAP file in wireshark. Is there any solution to this? Please help.

Thanks Hiremath

asked 22 Sep '10, 21:54

Hiremath's gravatar image

Hiremath
1112
accept rate: 0%


2 Answers:

1

Use the command line tool editcap to slice it up.

answered 22 Sep '10, 22:49

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

0

Given the size of the capture, I guess that you don't want to study every packet details.

  • If you want to study a specific flow inside this haystack, you can try to narrow down the size of the file to load by filtering out unneeded traffic with tcpdump or tshark (check -r and -w options, plus a "good" filter).
  • If you want to have statistics over the whole capture, you may try using tshark - the command line tool - instead of wireshark. It may require less memory as it does not have a graphical UI. Statistics are related to the -z option. For example tshark -z rtp,streams -r sip-rtp-g711a.pcap -q gives information about RTP streams without printing a summary line per packet.

answered 23 Sep '10, 20:32

gteissier's gravatar image

gteissier
13
accept rate: 0%