Wireshark-users: Re: [Wireshark-users] Reading from a large trace file

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Kamran Shafi" <kamran.shafi@xxxxxxxxx>
Date: Tue, 15 Apr 2008 16:00:00 +1000
Thanks folks.

On Tue, Apr 15, 2008 at 3:35 AM, Sake Blok <sake@xxxxxxxxxx> wrote:
Neither Wireshark nor Tshark will help you out here. They use the
same engine. The problem is that the engine keeps state-information
on each session. As it is an analyser tool that wants to give you
as much information as possible, it does not flush data when a
session is ended.

This means the memory footprint will keep growing as more of the
large file is read.

If all you need is basic statistics, then "ntop" might be a
better tool for you, it focusses more on quantitative information
while wireshark focusses more on qualitative information.

Hope this helps,
Cheers,
   Sake

On Mon, Apr 14, 2008 at 09:50:55AM -0700, Barry Constantine wrote:
> Not to my knowledge.
>
>
>
> Have you tried using the command line tshark to generate the statistics
> on this large file?
>
>
>
> -Barry
>
>
>
> ________________________________
>
> From: wireshark-users-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Kamran Shafi
> Sent: Sunday, April 13, 2008 8:13 PM
> To: Community support list for Wireshark
> Subject: Re: [Wireshark-users] Reading from a large trace file
>
>
>
> Thanks Barry,
>
>
>
> I actually have stored this trace in multiple files which I joined using
> tcpslice to make this big file. Then my revised question is can
> Wireshark read multiple files and give aggregate statistics?
>
> On Mon, Apr 14, 2008 at 12:32 AM, Barry Constantine
> <Barry.Constantine@xxxxxxxx> wrote:
>
> You can split the file using the command line editcap.
>
>
>
> First run "capinfos" command line to determine how many frames are in
> the trace file, then use editcap to split into manageable size chunks.
>
>
>
> -Barry
>
>
>
> ________________________________
>
> From: wireshark-users-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Kamran Shafi
> Sent: Saturday, April 12, 2008 9:09 PM
> To: wireshark-users@xxxxxxxxxxxxx
> Subject: [Wireshark-users] Reading from a large trace file
>
>
>
> Hello folks,
>
>
>
> I have recently joined the list so apologies it the question has already
> been asked.
>
>
>
> I am trying to read a large trace file (around 3 GB) stored with tcpdump
> -w flag to get the protocol statistics from Wireshark. I am on Windows
> XP Pro with 1 GB RAM. The Wireshark complains about the memory and
> crashes when trying to read this file. I guess it is trying to store
> everything in the memory before giving any stats. Is there a way to make
> Wireshark read without storing the packets but giving details about the
> trace at the end.
>
> --
> Regards
> Kam
>
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
>
>
>
>
> --
> Regards
> Kamran
>

> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users



--
Regards
Kamran