Wireshark-users: Re: [Wireshark-users] Reading from a large trace file

Not to my knowledge.


Have you tried using the command line tshark to generate the statistics on this large file?




From: [email protected] [mailto:[email protected]] On Behalf Of Kamran Shafi
Sent: Sunday, April 13, 2008 8:13 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Reading from a large trace file


Thanks Barry,


I actually have stored this trace in multiple files which I joined using tcpslice to make this big file. Then my revised question is can Wireshark read multiple files and give aggregate statistics?

On Mon, Apr 14, 2008 at 12:32 AM, Barry Constantine <[email protected]> wrote:

You can split the file using the command line editcap.


First run "capinfos" command line to determine how many frames are in the trace file, then use editcap to split into manageable size chunks.




From: [email protected] [mailto:[email protected]] On Behalf Of Kamran Shafi
Sent: Saturday, April 12, 2008 9:09 PM
To: [email protected]
Subject: [Wireshark-users] Reading from a large trace file


Hello folks,


I have recently joined the list so apologies it the question has already been asked.


I am trying to read a large trace file (around 3 GB) stored with tcpdump -w flag to get the protocol statistics from Wireshark. I am on Windows XP Pro with 1 GB RAM. The Wireshark complains about the memory and crashes when trying to read this file. I guess it is trying to store everything in the memory before giving any stats. Is there a way to make Wireshark read without storing the packets but giving details about the trace at the end.


Wireshark-users mailing list
[email protected]