Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] File size limits on Linux and building for large file suppor

From: Ulf Lamping <ulf.lamping@xxxxxx>
Date: Tue, 26 Jun 2007 08:27:03 +0200
Shehjar Tikoo schrieb:
Hi all,

I've seen a few posts in wireshark-users archive where Ulf Lamping mentions incorporating support for gint64 offsets for traffic dump files.

Does this imply that tshark can write pcap files using large file support on Linux without the need to resort to multiple capture ring files?
Although it's probably still untested, it should work.
If not, is it possible to build myself a tshark version that does support writing to large files by specifying
	
	 CFLAGS=-D_GNU_SOURCE\ -D_FILE_OFFSET_BITS=64

,etc to the configure script?

My doubt with the above method is that the system's underlying libpcap might not support large files, in which case tshark might not either.
libpcap doesn't work with the files directly, so there's no problem here.

You'll need to compile without libz, as libz is (optionally?) used to work with capture files and it will by default use 32 bit file offsets on machines which uses 32 bits for long values. So you can compile Wireshark/Tshark without libz (configure option?) or use a 64 bit machine that uses 64bits for "long" integers.

However, I don't know the configure settings for this as I'm working on Win32 most of the time.
How does tshark interact with libpcap while dumping to pcap?
tshark get's the "raw packet data" from libcap and then uses it's own wiretap library to save the data to disc.
Will the file size limit on libpcap also limit the output file sizes for tshark even if I specify the above CFLAGS for my build?

I do not need to use wireshark so I am not very concerned about huge memory usage for those large pcap files.
Regards, ULFL