Wireshark mailing list archives

Re: Running tshark on large pcap files

From: Rayne <hjazz6 () ymail com>
Date: Tue, 11 Jun 2013 19:51:39 -0700 (PDT)

Is there a way to turn off TCP reassembly in tshark? I'm running tshark on multiple files using a script on a Linux 
server, so I can't use SplitCap.

And it also doesn't seem like I can split up the files with editcap. Whenever I tried to do that with the large pcap 
files, I got empty output files (24 bytes) instead. I'm not sure if it was due to the large file size.


As for replying to old threads, I'm sorry about that. I didn't know I was doing that, because I was posting only from 
emails. I thought I just needed to send to wireshark-users () wireshark org (using my old posts so I could reference 
the email address) and a new thread would be created. I'll be sure not to do that again the next time I post a new 
thread. Sorry!



________________________________
 From: Christopher Maynard <Christopher.Maynard () gtech com>
To: wireshark-users () wireshark org 
Sent: Tuesday, June 11, 2013 12:30 PM
Subject: Re: [Wireshark-users] Running tshark on large pcap files
 

Anders Broman <a.broman@...> writes:

     Possible workarounds:
     - Use editcap to split the files to more manageable chunks of say 1
     - 2 GiB.
     - turn off TCP reassembly and all protocols you see above TCP/UDP
     I don't know if the MPLS dissector has any memory consuming features
     tunable by preferences. Your best bet i s probably editcap, you can
     splice the resulting files back together with mergecap should you
     need it.


Another possibility is splitcap: http://www.netresec.com/?page=SplitCap. 
- Chris

P.S. This entire thread is buried on page 3 of the gmane archives under the
30 May 2013 12:09 thread entitled, "Editcap 1.2.15 not working", which
itself is incorrectly threaded under the 30 Jan 2013 11:11 thread entitled,
"Understanding SMB flow in Wireshark", all of which were started by Rayne. 
Please start a new message/thread instead of replying to old threads and
changing the subject line.


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Running tshark on large pcap files Rayne (Jun 10)
- Re: Running tshark on large pcap files Sake Blok (Jun 10)
  - Re: Running tshark on large pcap files Rayne (Jun 10)
    - Re: Running tshark on large pcap files Rayne (Jun 10)
    - Re: Running tshark on large pcap files Anders Broman (Jun 10)
    - Re: Running tshark on large pcap files Christopher Maynard (Jun 10)
    - Re: Running tshark on large pcap files Rayne (Jun 11)
    - Re: Running tshark on large pcap files Evan Huus (Jun 12)
    - Re: Running tshark on large pcap files Christopher Maynard (Jun 12)
    - Re: Running tshark on large pcap files Erik Hjelmvik (Jun 13)
    - Re: Running tshark on large pcap files Sake Blok (Jun 12)