Any wireshark utilities such as tshark & editcap, are
unable to read large files. When using wireshark package to monitor live package,
it may be necessary to read files that are many giga bytes. Upon investigating
the code, I find that a eth_open function call is made::
wiretap/file_access.c:
wth->fd = eth_open(filename, O_RDONLY|O_BINARY, 0000 /* no creation so don't
matter */);
With mindset on linux system, this function would call the open(..)
function. It seems that including O_LARGEFILE added as an ‘or’ in
the flags argument (ie the 2nd argument in the eth_open(..)) would
help::::
wth->fd
= eth_open(filename, O_RDONLY|O_BINARY| O_LARGEFILE, 0000)
Alternative, option is to rewrite this code with a call to
fopen(filename,”r”) instead of using open(..). Tcpdump using
libpcap which calls fopen(..) has no issue dealing with large files.
I am new to wireshark development community. What is the
next step in creating a defect and scheduling a fix in a future wireshark
version?
Thanks.
