This is a copy from the bug, on the advice of Graham
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13694
Today most professional capture files can't be opened directly in
Wireshark due to their size and in front of a 10GB pcap file, the open
source user has:
* sequential packet readers (tcpdump/dumpcap) + capture filters
* custom index tools
At the opposite, network softwares are building indexes that are pretty
efficient (Riverbed Packet Analyzer index and micro-index, Extrahop, etc
...)
Several open source projects exist, but afaik none are really
linked/approved by Wireshark community yet:
#####
ntop n2disk & pcapIndex:
http://luca.ntop.org/pcapIndex.pdf
Luca seemed interested to share:
https://twitter.com/lucaderi/status/839490394924670976
cppip:
https://blogs.cisco.com/security/tools-of-the-trade-the-compressed-pcap-packet-indexing-program
sancp:
http://blog.vorant.com/2008/04/pcap-indexing.html
moloch:
https://github.com/aol/moloch
...
######
Discussion is wide and not straightforward: indexing will be a trade off
between size of index / speed / evolutivity.
The idea is to throw ideas / experience / suggestions and find some
bases for some specifications/code integration/development to start and
maybe integrate Wireshark one day.
(File -> Index PCAP !)
