Wireshark-users: Re: [Wireshark-users] Reading from a large trace file

From: Sake Blok <sake@xxxxxxxxxx>
Date: Mon, 14 Apr 2008 19:35:26 +0200
Neither Wireshark nor Tshark will help you out here. They use the
same engine. The problem is that the engine keeps state-information
on each session. As it is an analyser tool that wants to give you
as much information as possible, it does not flush data when a 
session is ended.

This means the memory footprint will keep growing as more of the 
large file is read.

If all you need is basic statistics, then "ntop" might be a 
better tool for you, it focusses more on quantitative information
while wireshark focusses more on qualitative information.

Hope this helps,
Cheers,
    Sake

On Mon, Apr 14, 2008 at 09:50:55AM -0700, Barry Constantine wrote:
> Not to my knowledge.
> 
>  
> 
> Have you tried using the command line tshark to generate the statistics
> on this large file?
> 
>  
> 
> -Barry
> 
>  
> 
> ________________________________
> 
> From: wireshark-users-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Kamran Shafi
> Sent: Sunday, April 13, 2008 8:13 PM
> To: Community support list for Wireshark
> Subject: Re: [Wireshark-users] Reading from a large trace file
> 
>  
> 
> Thanks Barry,
> 
>  
> 
> I actually have stored this trace in multiple files which I joined using
> tcpslice to make this big file. Then my revised question is can
> Wireshark read multiple files and give aggregate statistics?
> 
> On Mon, Apr 14, 2008 at 12:32 AM, Barry Constantine
> <Barry.Constantine@xxxxxxxx> wrote:
> 
> You can split the file using the command line editcap.
> 
>  
> 
> First run "capinfos" command line to determine how many frames are in
> the trace file, then use editcap to split into manageable size chunks.
> 
>  
> 
> -Barry
> 
>  
> 
> ________________________________
> 
> From: wireshark-users-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Kamran Shafi
> Sent: Saturday, April 12, 2008 9:09 PM
> To: wireshark-users@xxxxxxxxxxxxx
> Subject: [Wireshark-users] Reading from a large trace file
> 
>  
> 
> Hello folks,
> 
>  
> 
> I have recently joined the list so apologies it the question has already
> been asked.
> 
>  
> 
> I am trying to read a large trace file (around 3 GB) stored with tcpdump
> -w flag to get the protocol statistics from Wireshark. I am on Windows
> XP Pro with 1 GB RAM. The Wireshark complains about the memory and
> crashes when trying to read this file. I guess it is trying to store
> everything in the memory before giving any stats. Is there a way to make
> Wireshark read without storing the packets but giving details about the
> trace at the end.
> 
> -- 
> Regards
> Kam
> 
> 
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
> 
> 
> 
> 
> -- 
> Regards
> Kamran 
> 

> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users