Wireshark-users: Re: [Wireshark-users] Wireshark (1.4.0) fails opening large file on Windows Vist
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Tamás Varga <Tamas.Varga@xxxxxxxxxxxx>
Date: Tue, 26 Oct 2010 09:40:10 +0200
Hi Jaap,
 
Thank you very much for the description of memory related issues!
The workaround, splitting the file into, was working for me. Fine!
 
However, there are some issues, I have found no reference neither in wiki nor in bugzilla.
I suspect this is not the expected behavior with respect to file >2GB:
- capinfos.exe (Windows 32-bit) displays negative filesize
- capinfos (Linux 32-bit) stops with "Value too large for defined data type" error
- editcap (Linux 32-bit) stops with "Value too large for defined data type" error
- tshark (Linux 32-bit) stops with "Value too large for defined data type" error
- wireshark (Windows 32-bit) does not display the "Loading..." dialog and does not allow to stop loading a few percent of the file.
 
Anyhow, the tools work well for ordinary (<2GB) files. And this is okay!
 
cheers,
 Tamas
 

From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Jaap Keuter
Sent: Monday, October 25, 2010 15:36
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Wireshark (1.4.0) fails opening large file on Windows Vista 32-bit.

Hi,

http://wiki.wireshark.org/KnownBugs/OutOfMemory

Thanks,
Jaap

On Mon, 25 Oct 2010 12:02:32 +0200, Tamás Varga <Tamas.Varga@xxxxxxxxxxxx> wrote:

Hi Wiresharkers,
  
Complementing my earlier mail, I have made a little survey on the issue.
With editcap, I have split the file into two parts, and it can be loaded:
 editcap -c 6000000 wa_00000_20100730043832.pcap wab.pcap
  
However, tshark.exe fails to open the file, even in file-to-file mode with filter:
 tshark -r wa_00000_20100730043832.pcap -w wac.pcap -R "ip.addr == 10.110.156.17"
  
Running capinfos.exe, yields negative file size:
C:\Temp>capinfos wa_00000_20100730043832.pcap
File name:           wa_00000_20100730043832.pcap
File type:           Wireshark/tcpdump/... - libpcap
File encapsulation:  Ethernet
Packet size limit:   file hdr: 300 bytes
Packet size limit:   inferred: 300 bytes
Number of packets:   11697799
File size:           -1855096401 bytes
Data size:           7220225590 bytes
Capture duration:    60 seconds
Start time:          Fri Jul 30 04:38:32 2010
End time:            Fri Jul 30 04:39:32 2010
Data byte rate:      119560482.40 bytes/sec
Data bit rate:       956483859.19 bits/sec
Average packet size: 617.23 bytes
Average packet rate: 193705.10 packets/sec
SHA1:                f3fea0286f21f5ce8543e960f95b72503c40c953
RIPEMD160:           e32e45c02492ecf54ffff0a1ff07bd895f70962e
MD5:                 e18b4af9a612379a315780cfad7bd9df
Strict time order:   False
 
With respect to my earlier mail, I was about to open the file and press STOP to prevent loading the entire file.
(I was not expecting to fit a >2GB file into the user-space of 32-bit application). But the "Loading..." window does not appear.
 
cheers,
 Tamas

From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Tamás Varga
Sent: Monday, October 25, 2010 11:12
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] Wireshark (1.4.0) fails opening large file on Windows Vista 32-bit.
Hi Wiresharkers,
 
I have received a large PCAP file on NTFS filesystem of size 2,439,870,895 bytes.
Opening the file yields the following error message (after a long wating time):
GLib-ERROR **: gmem.c:136: failed to allocate 4294967295 bytes aborting…
 
To open the file, is it worth seeking for a 64-bit machine?
Is largefile support planned in any 32-bit versions of Wireshark?
 
cheers,
Tamas