Wireshark-dev: [Wireshark-dev] wireshark utilities unable to read large files
From: "Romel Khan" <[email protected]>
Date: Sat, 28 Jun 2008 11:11:29 -0400

Any wireshark utilities such as tshark & editcap, are unable to read large files. When using wireshark package to monitor live package, it may be necessary to read files that are many giga bytes. Upon investigating the code, I find that a eth_open function call is made::

            wiretap/file_access.c:          wth->fd = eth_open(filename, O_RDONLY|O_BINARY, 0000 /* no creation so don't matter */);

With mindset on linux system, this function would call the open(..) function. It seems that including O_LARGEFILE added as an ‘or’ in the flags argument (ie the 2nd argument in the eth_open(..)) would help::::

                                                            wth->fd = eth_open(filename, O_RDONLY|O_BINARY| O_LARGEFILE, 0000)

 

 

Alternative, option is to rewrite this code with a call to fopen(filename,”r”) instead of using open(..). Tcpdump using libpcap which calls fopen(..) has no issue dealing with large files.

 

I am new to wireshark development community. What is the next step in creating a defect and scheduling a fix in a future wireshark version?

Thanks.