2013/6/12 Rayne <hjazz6@xxxxxxxxx>:
> Is there a way to turn off TCP reassembly in tshark? I'm running tshark on
> multiple files using a script on a Linux server, so I can't use SplitCap.
Being the guy who develops SplitCap I can assure you that it runs on
Linux -- just make sure to install the mono framework.
Here's a quick howto for Ubuntu:
sudo apt-get install libmono2.0-cil mono-runtime
wget http://sourceforge.net/projects/splitcap/files/latest
unzip SplitCap_1-9.zip
mono SplitCap.exe -r dumfile.pcap
There is a minor bug when running in Linux though, as the split files
aren't properly put into a subdirectory. But I'll make sure to have
that fixed for the next release of SplitCap.
Feel free to let me know if you have any additional questions
regarding SplitCap!
/erik
>
> And it also doesn't seem like I can split up the files with editcap.
> Whenever I tried to do that with the large pcap files, I got empty output
> files (24 bytes) instead. I'm not sure if it was due to the large file size.
>
> As for replying to old threads, I'm sorry about that. I didn't know I was
> doing that, because I was posting only from emails. I thought I just needed
> to send to wireshark-users@xxxxxxxxxxxxx (using my old posts so I could
> reference the email address) and a new thread would be created. I'll be sure
> not to do that again the next time I post a new thread. Sorry!
>
> ________________________________
> From: Christopher Maynard <Christopher.Maynard@xxxxxxxxx>
> To: wireshark-users@xxxxxxxxxxxxx
> Sent: Tuesday, June 11, 2013 12:30 PM
>
> Subject: Re: [Wireshark-users] Running tshark on large pcap files
>
> Anders Broman <a.broman@...> writes:
>
>> Possible workarounds:
>> - Use editcap to split the files to more manageable chunks of say 1
>> - 2 GiB.
>> - turn off TCP reassembly and all protocols you see above TCP/UDP
>> I don't know if the MPLS dissector has any memory consuming features
>> tunable by preferences. Your best bet i s probably editcap, you can
>> splice the resulting files back together with mergecap should you
>> need it.
>
> Another possibility is splitcap: http://www.netresec.com/?page=SplitCap.
> - Chris
>
> P.S. This entire thread is buried on page 3 of the gmane archives under the
> 30 May 2013 12:09 thread entitled, "Editcap 1.2.15 not working", which
> itself is incorrectly threaded under the 30 Jan 2013 11:11 thread entitled,
> "Understanding SMB flow in Wireshark", all of which were started by Rayne.
> Please start a new message/thread instead of replying to old threads and
> changing the subject line.
>
>
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>
>
>
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
--
blog: http://www.netresec.com/?page=Blog
twitter: http://twitter.com/netresec
