Wireshark-users: Re: [Wireshark-users] Value too large for defined data type

From: "Sake Blok" <sake@xxxxxxxxxx>
Date: Tue, 4 Aug 2009 23:40:25 +0200

Andrej,

You could cat the big file and pipe it to dumpcap and tell dumpcap to generate multiple small files:

cat big.cap | dumpcap -i- -w smaller.cap -b filesize:65536

(this will split up the big file into multiple smaller files of 64MB)

Hope this helps,
Cheers,
    Sake

PS IIRC, the reason for the wireshark tools not being able to handle these large files is due to limitations in the gzip libraries...

----- Original Message ----- From: "Andrej van der Zee" <andrejvanderzee@xxxxxxxxx>

To: <wireshark-users@xxxxxxxxxxxxx>
Sent: Tuesday, August 04, 2009 9:47 AM
Subject: [Wireshark-users] Value too large for defined data type

Hi,

I have a huge tcpdump file of 15GB that I want to break up in pieces
with editcap. But when I try to run editcap on the file, I get the
following errors:

editcap: Can't open huge.cap: Value too large for defined data type

Same goes for "tshark" and "capinfos".

Is there a way I can still use these tools?

Thank you,
Andrej
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe