This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

open big .cap file ?

0

Hello.

I have a .cap file that is 4Mo leght.

When i try to open it with wishark, i have an error that says "pcap: File has 1869904672-byte packet, bigger than maximum of 65535).

Someone knows how to open my complete .cap file ?

Thank you.

asked 24 May '11, 09:59

parisien's gravatar image

parisien
1111
accept rate: 0%

retagged 25 May '11, 21:47

helloworld's gravatar image

helloworld
3.1k42041


2 Answers:

2

It's not the file size that's choking Wireshark, it's that a single packet is almost 2 billion bytes in size. Either you guys are running jumbo packets OR there's something wrong with the capture file. Did you capture it with wireshark, or with another tool?

You can also look into running editcap with the -s parameter and limited the packet lengths to roughly 1500. Of course...this could be a bug with packet reassembly. Which version of WireShark are you using?

answered 24 May '11, 11:49

GeonJay's gravatar image

GeonJay
4705922
accept rate: 5%

2

This usually is a result of transferring the file through FTP and not selecting binary mode. This will mess up the CR/LF and/or LF in the file. Did you use FTP to retrieve the file? If so, could you try again, but now with binary mode?

answered 24 May '11, 12:50

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%