Wireshark · Wireshark-dev: Re: [Wireshark-dev] why wireshark cannot open large size files?

[Guy Harris <guy@xxxxxxxxxxxx>]

On Aug 24, 2011, at 1:01 PM, John x wrote:

> I find that I can open pcap files like 5kb or 9kb, but if I open a file with size like 500kb or 1mb, it will be shown "wireshark not responding" in Windows.

I'm not sure what "not responding" means in Windows, but if it's anything like, for example, the hang indication in Mac OS X's Activity Monitor, which indicates the app is giving the Spinning Pizza Of Death, it means that the app hasn't checked its input queue in a while.

While reading in a capture file, Wireshark should be displaying a progress bar window, *and* should be periodically updating that window *and* checking for input (including clicking the "Cancel" button in the progress bar, if reading the file is taking too long and you just want to give up on it).

Is Wireshark putting up a progress bar dialog while it's reading the file?  If so, is the progress bar moving, and can you click the "Cancel" button to stop reading the file?

If not, there might be a bug in a dissector where it's in an infinite loop, which means it's not a question of the file *size*, it's a question of particular packets in the file triggering the bug.

I've read files many times larger than that in Wireshark with no problems.  500KB should *NOT* cause a problem.  500MB, maybe, but not 500KB.