This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to analyze very large pcapng file?

0

I have a very large pcapng file (about 21GB), and I want to analyze the file in wireshark. Should I split it into small files with editcap? Can editcap handle such a large file? If not, how to do?

asked 20 Feb '14, 17:31

metamatrix's gravatar image

metamatrix
56161619
accept rate: 100%


2 Answers:

1

editcap should be able to handle the file and it think it's absolutely necessary to split or pre-filter the file, as there is no way to load a 21GB file into wireshark or tshark.

You can pre-filter the file with tcpdump (e.g. in Linux), by using capture filter, if you know what to look for

tcpdump -nr input.pcap -w output_x_y.pcap 'host x.x.x.x or host y.y.y.y'

Regards
Kurt

answered 20 Feb '14, 21:48

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thank you,Kurt. Should I use editcap directly on Windows to split the file? What's the proper parameters if I want to split this file into 2GB files?

(20 Feb '14, 23:09) metamatrix

You can do it on any platform that editcap supports. Unfortunately you cannot split based on file size with editcap, but you can split based on time and/or number of frames, see the editcap man page. If you need the size feature, there are other tools. Just google for: 'pcap file split'

(21 Feb '14, 08:44) Kurt Knochner ♦

0

Please try splitcap, its a free tool that can be used for filtering very large PCAP files. its very fast and efficient. With a few operators you can split a large file into into its individual IP pair conversations of even further port pair's

answered 23 Feb '14, 18:56

deepacket's gravatar image

deepacket
31224
accept rate: 0%