Wireshark-users: Re: [Wireshark-users] Maximum file size?

From: "Anders Broman" <anders.broman@xxxxxxxxxxxx>
Date: Tue, 27 Oct 2009 08:25:08 +0100
Hi,
There is separate issues here:
1) The largest file pointer possible to use e.g. physical file size.
2) The amount of memory used by Wireshark when analyzing a file/trace.

2 depends on the protocols in the trace and on preference settings in Wireshark, reassembly
Uses memory conversation tracking does to etc.

A lot of work has been put into the trunk version of Wireshark to try to reduce the amount of memory used,
fix memory leaks etc and also to speed up loading of the file. Development snapshot 1.3.1 is due to be released soon or you could try a development build.

Note that with large files filtering and other operations may becom slow so you want to keep your files as small as possible.

Regards
Anders

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Joel Seidman
Sent: den 27 oktober 2009 06:21
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] Maximum file size?

Hi All.

I want to know the maximum capture file size (if there is one) that can be loaded into 64-bit wireshark. I can't seem to find a definitive answer. 

I recently installed V 1.2.2 (SVN Rev. 29910) on a Vista computer (with a substantial amount of RAM). I selected the 64-bit version when I downloaded it. I believe the required Service Pack was installed also (need to confirm).

I eventually expect to have a capture file of several hundred MB or more. I haven't actually had a problem loading a large file in 64-bit wire shark (did with 32-bit version), but I did an experiment that may be related.  I have a capture file of 143 Meg. I loaded it, which went OK. Then I attempted to load it again in concatenation mode, and got an error box: "This application has requested the Runtime to terminate in an unusual way. Please contact the application support team for more information...".

So my question is, basically, what's the max? And whatever the answer, is it possible to increase it by re-building from source? Any other suggestions?

(I have read suggestions to break a large file up into smaller pieces, but I'd like to avoid that step if it's possible. The purpose is to use Wireshark's analytical capabilities to process a very large set of data in toto.)

TIA.

-- Joel
--
  Joel Seidman
  joel2009@xxxxxxxxxxx

--
http://www.fastmail.fm - A no graphics, no pop-ups email service

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe