Shehjar Tikoo schrieb:
Hi all,
I've seen a few posts in wireshark-users archive where Ulf Lamping
mentions incorporating support for gint64 offsets for traffic dump files.
Does this imply that tshark can write pcap files using large file
support on Linux without the need to resort to multiple capture ring
files?
Although it's probably still untested, it should work.
If not, is it possible to build myself a tshark version that does
support writing to large files by specifying
CFLAGS=-D_GNU_SOURCE\ -D_FILE_OFFSET_BITS=64
,etc to the configure script?
My doubt with the above method is that the system's underlying libpcap
might not support large files, in which case tshark might not either.
libpcap doesn't work with the files directly, so there's no problem here.
You'll need to compile without libz, as libz is (optionally?) used to
work with capture files and it will by default use 32 bit file offsets
on machines which uses 32 bits for long values. So you can compile
Wireshark/Tshark without libz (configure option?) or use a 64 bit
machine that uses 64bits for "long" integers.
However, I don't know the configure settings for this as I'm working on
Win32 most of the time.
How does tshark interact with libpcap while dumping to pcap?
tshark get's the "raw packet data" from libcap and then uses it's own
wiretap library to save the data to disc.
Will the file size limit on libpcap also limit the output file sizes
for tshark even if I specify the above CFLAGS for my build?
I do not need to use wireshark so I am not very concerned about huge
memory usage for those large pcap files.
Regards, ULFL