This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

File size limit on TShark?

0

I have been attempting to capture a high volume of multicast traffic for a week now using TShark. The process always unexpectedly terminates. The captures start at various times of the day.

Trying to figure out what is going on, I noticed that the capture files almost always are just short of 40GB in size when TShark terminates. It appears to be the one constant I've found in the problem.

Is there a file size limit in TShark, or should I be looking elsewhere for the problem?

asked 10 Oct '11, 11:15

Chuu's gravatar image

Chuu
11224
accept rate: 0%

try to limit the size of the trace file - tshark -b filesize:100 - this will close and open a new file after 100 Kb reached

(20 Apr '15, 05:24) HiB

One Answer:

2

I think it's not a hard coded limit, but TShark seems to run out of ressources over time.

You should try to capture using dumpcap instead, and go for a multi capture setup - meaning, write smaller trace files and open a new one when the limit is reached. Usually I go for 32MB or 64MB files, which allows easily opening them in Wireshark afterwards.

answered 10 Oct '11, 11:32

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Come on @Jasper, point to the canonical reference on Wireshark\tshark out of memory issues on your blog: https://blog.packet-foo.com/2013/05/the-notorious-wireshark-out-of-memory-problem/

(20 Apr '15, 05:53) grahamb ♦

lol @grahamb, this is a really old post from 4 years ago. There was no blog back then :-)

BTW, most blog hits are for "Spurious retransmission", by far ;-)

(20 Apr '15, 06:25) Jasper ♦♦