Wireshark-users: Re: [Wireshark-users] Pcap Ideal Size for Analysis
From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Mon, 22 Aug 2011 15:18:05 +0200

Have a look at editcap, part of the Wireshark package. It allows you to cut the thing in pieces. There's no hard a set rule what the optimum size of a capture is. Some captures are more memory intensive than others. Also, depending on what you're trying to find, you'll need shorter or longer captures.

Have a good look at the command line tools.


On Mon, 22 Aug 2011 16:31:49 +0700, Zaki Akhmad wrote:

Hi all,

Just got a pcap file sized 532 MB :|

I was wondering, how big is pcap ideal size to do some analysis? Just
when I opened this file, I need at least 5 minutes on my computer
(dual core, 3 GB memory) to open it.

Or maybe there are tips & tricks to capture and analyze big pcap file?