This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

can’t open to large .eth file

0

Hello,

have a to big (*.eth) file (7gb) and can't open that with wireshark. how can i reduce it and make smaler files thereout. (like you can do ist with editcap and .pcap files, for example: editcap -c 10000 .........)

Or can i convert the .eth file in an .pcap file?

Hallo,

habe eine zu große .eth Datei die mit wireshark nicht zu öffnen ist. (7gb) Da während der Aufnahme Daten geladen wurden. Wie kann ich die Datei verkleinern/splitten damit ich sie wieder öffnen kann. Mit editcap hab ich es versucht aber anscheinend kann der nur pcap dateine verarbeiten.

Kann man evtl. die eth datei in eine pcap datei umwandeln?

asked 28 Aug '11, 16:29

tkwire's gravatar image

tkwire
1223
accept rate: 0%

edited 30 Aug '11, 12:23

helloworld's gravatar image

helloworld
3.1k42041

What program did you record the file with? The extension doesn't really mean much when it comes to trace files.

(29 Aug '11, 01:01) Jasper ♦♦

...which can be determined by using:

capinfos -Et <filename>
(29 Aug '11, 06:54) Jaap ♦

it was made with my router (fritz box) own capturesoftware. i just have to login to the router and to klick on the start button for the capture. regular i can open the files but this file is to big.

If i want open the file with wireshark i can get informations: 
filename: fritzbox-vcc_28.08.11_1044.eth 
format(file type): Modified tcpdump - libpcap 
Size: 8097448066 bytes 
Packets: more than 247300 packets (preview timeout) 
First Packet: 2011-08-28 10:44:55 
Elapsed: unknown End time: Sun Aug 28 20:50:51 2011

sorry for my worse english

(30 Aug '11, 03:25) tkwire

it looks like the Fritz Box is writing pcap formated files then, which means that editcap should be able to cut them into smaller files. The question is why editcap doesn't work though, but this is hard to tell without having the tracefile.

(30 Aug '11, 04:40) Jasper ♦♦

One Answer:

0

Since the file is in libpcap format, all the Wireshark tools, including editcap are able to read the file. However the file is bigger than 2GB, which was a limit in earlier versions of wireshark (and accompanying tools). There has been some work on this limit. Could you try version 1.6.1 of editcap?

If version 1.6.1 of editcap does not work either, could you post the error-message you get?

answered 30 Aug '11, 04:48

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

version 1.6.1

i don't know what i did wrong the first time, but now i did the same to get the error message and now it run without problems.

editcap -c 2000000 "filename".eth "filename".pcap and editcap -c 2000000 "filename".eth "filename".eth

both lines are running

a lots of thank for all who tryed to help me special for SYNBit;Jasper;Jaap

(30 Aug '11, 08:44) tkwire

(I converted your "answer" to a "comment", please see the FAQ for details)

(30 Aug '11, 09:22) SYN-bit ♦♦