Hi, I am developing 10G packet capturer and analyser.I searched many in google and i can't able to find the solution. what are all the steps i needed to achieve this. I have a 10G napatech interface card.using that i capture 600GB packets in 10 mins.The packet mainly consist of GTP packets.When i am extracting it was changed to thrice the times of memory. My question is how can i manage such kind of big memory and how can i do parse it.whereas wireshark or tshark doesn't support these kind of large files.Please answer me if anyone was developed or anyone knows the idea about this.I was so much confused and i am new to this.
asked 02 Mar '16, 21:40
edited 07 Mar '16, 02:12
As both Wireshark and tshark accumulate context information about the packets, it is inevitable that you run out of memory at some size of the file. The more memory, the bigger file can be handled, but there is always a limit.
So the simplest way to address this would be to use a circular file buffer while capturing using dumpcap or your tailor-made capturing application (which do not build any context, which means that only capture filters can be used) and limit the size of the individual files to one which Wireshark/tshark can handle on your machine. Then, you would process these individual files, and maybe filter the interesting flows from them into yet smaller files which you would then merge together so that you could see the whole flow in a single file.
answered 03 Mar '16, 02:50
edited 03 Mar '16, 02:51