Hi all,
I've seen a few posts in wireshark-users archive where Ulf Lamping
mentions incorporating support for gint64 offsets for traffic dump files.
Does this imply that tshark can write pcap files using large file
support on Linux without the need to resort to multiple capture ring
files?
If not, is it possible to build myself a tshark version that does
support writing to large files by specifying
CFLAGS=-D_GNU_SOURCE\ -D_FILE_OFFSET_BITS=64
,etc to the configure script?
My doubt with the above method is that the system's underlying libpcap
might not support large files, in which case tshark might not either.
How does tshark interact with libpcap while dumping to pcap?
Will the file size limit on libpcap also limit the output file sizes
for tshark even if I specify the above CFLAGS for my build?
I do not need to use wireshark so I am not very concerned about huge
memory usage for those large pcap files.
Thanks in advance,
Shehjar