Neither Wireshark nor Tshark will help you out here. They use the
same engine. The problem is that the engine keeps state-information
on each session. As it is an analyser tool that wants to give you
as much information as possible, it does not flush data when a
session is ended.
This means the memory footprint will keep growing as more of the
large file is read.
If all you need is basic statistics, then "ntop" might be a
better tool for you, it focusses more on quantitative information
while wireshark focusses more on qualitative information.
Hope this helps,
Cheers,
Sake
On Mon, Apr 14, 2008 at 09:50:55AM -0700, Barry Constantine wrote:
> Not to my knowledge.
>
>
>
> Have you tried using the command line tshark to generate the statistics
> on this large file?
>
>
>
> -Barry
>
>
>
> ________________________________
>
> From: wireshark-users-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Kamran Shafi
> Sent: Sunday, April 13, 2008 8:13 PM
> To: Community support list for Wireshark
> Subject: Re: [Wireshark-users] Reading from a large trace file
>
>
>
> Thanks Barry,
>
>
>
> I actually have stored this trace in multiple files which I joined using
> tcpslice to make this big file. Then my revised question is can
> Wireshark read multiple files and give aggregate statistics?
>
> On Mon, Apr 14, 2008 at 12:32 AM, Barry Constantine
> <Barry.Constantine@xxxxxxxx> wrote:
>
> You can split the file using the command line editcap.
>
>
>
> First run "capinfos" command line to determine how many frames are in
> the trace file, then use editcap to split into manageable size chunks.
>
>
>
> -Barry
>
>
>
> ________________________________
>
> From: wireshark-users-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Kamran Shafi
> Sent: Saturday, April 12, 2008 9:09 PM
> To: wireshark-users@xxxxxxxxxxxxx
> Subject: [Wireshark-users] Reading from a large trace file
>
>
>
> Hello folks,
>
>
>
> I have recently joined the list so apologies it the question has already
> been asked.
>
>
>
> I am trying to read a large trace file (around 3 GB) stored with tcpdump
> -w flag to get the protocol statistics from Wireshark. I am on Windows
> XP Pro with 1 GB RAM. The Wireshark complains about the memory and
> crashes when trying to read this file. I guess it is trying to store
> everything in the memory before giving any stats. Is there a way to make
> Wireshark read without storing the packets but giving details about the
> trace at the end.
>
> --
> Regards
> Kam
>
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
>
>
>
>
> --
> Regards
> Kamran
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users