Wireshark · Wireshark-users: Re: [Wireshark-users] Wireshark (1.4.0) fails opening large file on Windows Vista 32-bit.

[Tamás Varga <Tamas.Varga@xxxxxxxxxxxx>]

Hi Jaap,

 

Thank you very much for the description of memory related issues!

The workaround, splitting the file into, was working for me. Fine!

 

However, there are some issues, I have found no reference neither in wiki nor in bugzilla.

I suspect this is not the expected behavior with respect to file >2GB:

- capinfos.exe (Windows 32-bit) displays negative filesize

- capinfos (Linux 32-bit) stops with "Value too large for defined data type" error

- editcap (Linux 32-bit) stops with "Value too large for defined data type" error

- tshark (Linux 32-bit) stops with "Value too large for defined data type" error

- wireshark (Windows 32-bit) does not display the "Loading..." dialog and does not allow to stop loading a few percent of the file.

 

Anyhow, the tools work well for ordinary (<2GB) files. And this is okay!

 

cheers,

 Tamas

 

---

From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Jaap Keuter
Sent: Monday, October 25, 2010 15:36
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Wireshark (1.4.0) fails opening large file on Windows Vista 32-bit.

Hi,

http://wiki.wireshark.org/KnownBugs/OutOfMemory

Thanks,
Jaap

On Mon, 25 Oct 2010 12:02:32 +0200, Tamás Varga <Tamas.Varga@xxxxxxxxxxxx> wrote:

Hi Wiresharkers,

  

Complementing my earlier mail, I have made a little survey on the issue.

With editcap, I have split the file into two parts, and it can be loaded:

 editcap -c 6000000 wa_00000_20100730043832.pcap wab.pcap

  

However, tshark.exe fails to open the file, even in file-to-file mode with filter:

 tshark -r wa_00000_20100730043832.pcap -w wac.pcap -R "ip.addr == 10.110.156.17"

  

Running capinfos.exe, yields negative file size:

C:\Temp>capinfos wa_00000_20100730043832.pcap

File name:           wa_00000_20100730043832.pcap

File type:           Wireshark/tcpdump/... - libpcap
File encapsulation:  Ethernet
Packet size limit:   file hdr: 300 bytes
Packet size limit:   inferred: 300 bytes
Number of packets:   11697799
File size:           -1855096401 bytes
Data size:           7220225590 bytes
Capture duration:    60 seconds
Start time:          Fri Jul 30 04:38:32 2010
End time:            Fri Jul 30 04:39:32 2010
Data byte rate:      119560482.40 bytes/sec
Data bit rate:       956483859.19 bits/sec
Average packet size: 617.23 bytes
Average packet rate: 193705.10 packets/sec
SHA1:                f3fea0286f21f5ce8543e960f95b72503c40c953
RIPEMD160:           e32e45c02492ecf54ffff0a1ff07bd895f70962e
MD5:                 e18b4af9a612379a315780cfad7bd9df
Strict time order:   False

 

With respect to my earlier mail, I was about to open the file and press STOP to prevent loading the entire file.

(I was not expecting to fit a >2GB file into the user-space of 32-bit application). But the "Loading..." window does not appear.

 

cheers,

 Tamas

---

From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Tamás Varga
Sent: Monday, October 25, 2010 11:12
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] Wireshark (1.4.0) fails opening large file on Windows Vista 32-bit.

Hi Wiresharkers,

 

I have received a large PCAP file on NTFS filesystem of size 2,439,870,895 bytes.

Opening the file yields the following error message (after a long wating time):

GLib-ERROR **: gmem.c:136: failed to allocate 4294967295 bytes aborting…

 

To open the file, is it worth seeking for a 64-bit machine?

Is largefile support planned in any 32-bit versions of Wireshark?

 

cheers,

Tamas