This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Concatenating File

0

I am working to debug our network here at my workplace and have just finished reading and working through the Wireshark 101 book by Laura Chappell. I hooked up a Blackbox copper tap close to one of our network switches and ran wireshark with no capture filters in place to capture ALL network traffic which I had plans to feed into Cascade Pilot PE to attempt to understand what issues currently exist in our network.

When I run wireshark, it seems to crash after approx 1/2 hour of capture. I am saving the file to an NTFS file system so am not sure what the problem is however if I switch to using Multiple Files and write a new file every 100MB everything seems to go ok. The problem now is I am left with many files that I want to analyze all at once in Cascade Pilot. Is it possible to concatenate all these files into one file that I can then open in Cascade Pilot for analysis?

asked 27 May '14, 07:50

profishark's gravatar image

profishark
11112
accept rate: 0%

One Answer:

2

Several questions in one here:

  1. Using Wireshark to make captures of massive traffic flows is inviting the out of memory problem to visit. In short, use dumpcap to make capture where the aim is purely to capture for later analysis.
  2. Even using multiple files, capturing lots of traffic with Wireshark is problematic, see #1 above.
  3. I believe Pilot will work quite happily with multiple captures, I used it like that once in the past, and I don't think it will have lost that capability. You'll just have to RTFM to see how to do that.
  4. If you really want to concatenate all the files, then mergecap (command line, installed along with Wireshark) will do the job. Subsequently opening such a huge file in Wireshark might be difficult though.

answered 27 May '14, 08:11

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%