Wireshark-users: Re: [Wireshark-users] Wireshark (1.4.0) fails opening large file on Windows Vist
Hi
Wiresharkers,
Complementing my earlier mail, I have made a little
survey on the issue.
With
editcap, I have split the file into two parts, and it can be
loaded:
editcap -c
6000000 wa_00000_20100730043832.pcap wab.pcap
However, tshark.exe fails to open the file, even in
file-to-file mode with filter:
tshark -r wa_00000_20100730043832.pcap -w
wac.pcap -R "ip.addr == 10.110.156.17"
Running capinfos.exe, yields negative file
size:
C:\Temp>capinfos
wa_00000_20100730043832.pcap
File
name:
wa_00000_20100730043832.pcap
File
type:
Wireshark/tcpdump/... - libpcap
File encapsulation: Ethernet
Packet
size limit: file hdr: 300 bytes
Packet size limit:
inferred: 300 bytes
Number of packets: 11697799
File
size: -1855096401
bytes
Data size:
7220225590 bytes
Capture duration: 60 seconds
Start
time: Fri Jul 30 04:38:32
2010
End
time: Fri Jul
30 04:39:32 2010
Data byte rate: 119560482.40
bytes/sec
Data bit rate: 956483859.19
bits/sec
Average packet size: 617.23 bytes
Average packet rate: 193705.10
packets/sec
SHA1:
f3fea0286f21f5ce8543e960f95b72503c40c953
RIPEMD160:
e32e45c02492ecf54ffff0a1ff07bd895f70962e
MD5:
e18b4af9a612379a315780cfad7bd9df
Strict time order:
False
With
respect to my earlier mail, I was about to open the file and press STOP to
prevent loading the entire file.
(I was
not expecting to fit a >2GB file into the user-space of 32-bit application).
But the "Loading..." window does not
appear.
cheers,
Tamas
Hi Wiresharkers,
I have received a large PCAP file on NTFS filesystem of size 2,439,870,895
bytes.
Opening the file yields the following error message (after a long wating
time):
GLib-ERROR **: gmem.c:136: failed to allocate 4294967295 bytes
aborting
To open the file, is it worth seeking for a 64-bit machine?
Is largefile support planned in any 32-bit versions of Wireshark?
cheers,
Tamas
