Wireshark-users: Re: [Wireshark-users] Value too large for defined data type

You could cat the big file and pipe it to dumpcap and tell dumpcap to generate multiple small files:

cat big.cap | dumpcap -i- -w smaller.cap -b filesize:65536

(this will split up the big file into multiple smaller files of 64MB)

Hope this helps,

PS IIRC, the reason for the wireshark tools not being able to handle these large files is due to limitations in the gzip libraries...

----- Original Message ----- From: "Andrej van der Zee" <[email protected]>
To: <[email protected]>
Sent: Tuesday, August 04, 2009 9:47 AM
Subject: [Wireshark-users] Value too large for defined data type


I have a huge tcpdump file of 15GB that I want to break up in pieces
with editcap. But when I try to run editcap on the file, I get the
following errors:

editcap: Can't open huge.cap: Value too large for defined data type

Same goes for "tshark" and "capinfos".

Is there a way I can still use these tools?

Thank you,
Sent via:    Wireshark-users mailing list <[email protected]>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:[email protected]?subject=unsubscribe