Wireshark-users: Re: [Wireshark-users] 2 gig limit on mergecap
Daniel Goolsby wrote:
regardless, mergecap stops at 2g. I made sure and compiled merge on a
Sparc Sun box, i also recompiled zlib to make sure it was at least
compiled on a 64bit machine- no telling if it had any real effect.
"Compiled on a 64-bit machine" isn't enough; zlib would have to be built
as a 64-bit library, which might not be the default on a 64-bit machine
- the default might be 32-bit.
I could probably 'tcpreplay' the individual files on an interface that
isn't being used, and tcpdump that one,
...but only if tcpdump can handle files >2GB. It uses libpcap to write
the capture file, and libpcap uses the regular standard I/O routines,
so, unless libpcap is built in the right "transitional environment", I
don't think it'll be able to handle files >2GB in Solaris. (See my
response to Ulf Lamping for more details.)
If you're running Linux rather than Solaris, the answers might be
different - but not as different as you might like, given that off_t is,
I think, a long in Linux, and thus 32 bits in an ILP32 environment.
