Wireshark-users: Re: [Wireshark-users] Reading from a large trace file
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: "Kamran Shafi" <kamran.shafi@xxxxxxxxx>
Date: Mon, 14 Apr 2008 10:13:13 +1000
Thanks Barry,
 
I actually have stored this trace in multiple files which I joined using tcpslice to make this big file. Then my revised question is can Wireshark read multiple files and give aggregate statistics?
On Mon, Apr 14, 2008 at 12:32 AM, Barry Constantine <Barry.Constantine@xxxxxxxx> wrote:

You can split the file using the command line editcap.

 

First run "capinfos" command line to determine how many frames are in the trace file, then use editcap to split into manageable size chunks.

 

-Barry

 

From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Kamran Shafi
Sent: Saturday, April 12, 2008 9:09 PM
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] Reading from a large trace file

 

Hello folks,

 

I have recently joined the list so apologies it the question has already been asked.

 

I am trying to read a large trace file (around 3 GB) stored with tcpdump -w flag to get the protocol statistics from Wireshark. I am on Windows XP Pro with 1 GB RAM. The Wireshark complains about the memory and crashes when trying to read this file. I guess it is trying to store everything in the memory before giving any stats. Is there a way to make Wireshark read without storing the packets but giving details about the trace at the end.

--
Regards
Kam


_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users




--
Regards
Kamran