This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi, I am developing 10G packet capturer and analyser.I searched many in google and i can't able to find the solution. what are all the steps i needed to achieve this. I have a 10G napatech interface card.using that i capture 600GB packets in 10 mins.The packet mainly consist of GTP packets.When i am extracting it was changed to thrice the times of memory. My question is how can i manage such kind of big memory and how can i do parse it.whereas wireshark or tshark doesn't support these kind of large files.Please answer me if anyone was developed or anyone knows the idea about this.I was so much confused and i am new to this.

Thank you,

asked 02 Mar '16, 21:40

rathnaTech's gravatar image

rathnaTech
31348
accept rate: 0%

edited 07 Mar '16, 02:12


As both Wireshark and tshark accumulate context information about the packets, it is inevitable that you run out of memory at some size of the file. The more memory, the bigger file can be handled, but there is always a limit.

So the simplest way to address this would be to use a circular file buffer while capturing using dumpcap or your tailor-made capturing application (which do not build any context, which means that only capture filters can be used) and limit the size of the individual files to one which Wireshark/tshark can handle on your machine. Then, you would process these individual files, and maybe filter the interesting flows from them into yet smaller files which you would then merge together so that you could see the whole flow in a single file.

permanent link

answered 03 Mar '16, 02:50

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

edited 03 Mar '16, 02:51

Thankyou sindy , does tshark captures and extracts without any loss of packets and data??

(07 Mar '16, 02:11) rathnaTech

tshark is pretty much Wireshark but with a command line interface. It uses the same dissection engine and suffers from the same memory limitations.

In addition to the memory usage, tshark and Wireshark represent a heavier load on the capture system because of the dissection they do on the packets for reassembly etc. For high speed (> 500Mps in my experience) commodity PC hardware (NIC, CPU, disk) isn't enough.

If you do manage to capture without drops into multiple files (e.g. using dumpcap or maybe the Napatech software) then have a look at Packet Analyzer from Riverbed. It's a software tool that allows views of packet data over multiple capture files, and then can drill down to specific items using Wireshark to display the packet details.

(07 Mar '16, 02:49) grahamb ♦

Problem with Napatech is that they don't distribute the software except to capture device vendors. I learned that the hard way - they're not interested in the consumer market, just selling to businesses they have an NDA with (and apparently you can't sign their NDA as a private person)

(07 Mar '16, 06:25) Jasper ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×832
×238
×61
×6

question asked: 02 Mar '16, 21:40

question was seen: 1,724 times

last updated: 07 Mar '16, 06:25

p​o​w​e​r​e​d by O​S​Q​A