Wireshark-users: Re: [Wireshark-users] 2 gig limit on mergecap

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 22 Nov 2006 12:00:23 -0800
Daniel Goolsby wrote:

regardless, mergecap stops at 2g. I made sure and compiled merge on a Sparc Sun box, i also recompiled zlib to make sure it was at least compiled on a 64bit machine- no telling if it had any real effect.

"Compiled on a 64-bit machine" isn't enough; zlib would have to be built as a 64-bit library, which might not be the default on a 64-bit machine - the default might be 32-bit.

I could probably 'tcpreplay' the individual files on an interface that isn't being used, and tcpdump that one,

...but only if tcpdump can handle files >2GB. It uses libpcap to write the capture file, and libpcap uses the regular standard I/O routines, so, unless libpcap is built in the right "transitional environment", I don't think it'll be able to handle files >2GB in Solaris. (See my response to Ulf Lamping for more details.)

If you're running Linux rather than Solaris, the answers might be different - but not as different as you might like, given that off_t is, I think, a long in Linux, and thus 32 bits in an ILP32 environment.