On Fri, Mar 05, 2004 at 08:48:42AM -0500, Alford, Kevin (Ntelicor) wrote:
> I am running Solaris 8, and I have a 1GB snoop capture file.
> I have ethereal running on my Windows desktop, and it hangs when I try and
> load my snoop capture.
Do you have network-layer name resolution enabled?
If so, try disabling it, and see if it finishes. It might not be
"hanging" in the sense of blocking forever, it might just be "hanging"
in the sense that, when it tries to translate IP addresses to names
(which, if network-layer name resolution is enabled, it'll try to do for
some of the IP addresses in packets, including IP source and destination
addresses, when reading in a capture), it blocks for a long period of
time.
> I have installed ethereal in my Solaris environment, and want to use editcap
> to divide my snoop file
> Into manageable sizes. Your assistance in this matter is greatly
> appreciated.
If there's a dissector bug causing Ethereal to block forever, and that's
whats causing the hang, splitting the file up won't completely fix the
problem - at least one of the files will still get the hang. Similarly,
if it's a name resolution issue, that won't fix it, either.
But if you want to use editcap to split the file up, you'd do something
such as
editcap -r big_snoop_file first_output_file 1-10000
editcap -r big_snoop_file second_output_file 10001-20000
editcap -r big_snoop_file third_output_file 20001-30000
and so on - that'd break the capture file up into smaller files, each of
which has 10,000 packets (except perhaps for the last one, which might
have fewer). If 10,000 packets is too big (note that "hangs" probably
doesn't imply "too big"), use smaller numbers.