Re: Running tshark on large pcap files

[Erik Hjelmvik <erik.hjelmvik () gmail com>]

2013/6/12 Rayne <hjazz6 () ymail com>:
> Is there a way to turn off TCP reassembly in tshark? I'm running tshark on
> multiple files using a script on a Linux server, so I can't use SplitCap.

Being the guy who develops SplitCap I can assure you that it runs on
Linux -- just make sure to install the mono framework.
Here's a quick howto for Ubuntu:

sudo apt-get install libmono2.0-cil mono-runtime
wget http://sourceforge.net/projects/splitcap/files/latest
unzip SplitCap_1-9.zip
mono SplitCap.exe -r dumfile.pcap

There is a minor bug when running in Linux though, as the split files
aren't properly put into a subdirectory. But I'll make sure to have
that fixed for the next release of SplitCap.

Feel free to let me know if you have any additional questions
regarding SplitCap!

/erik

> And it also doesn't seem like I can split up the files with editcap.
> Whenever I tried to do that with the large pcap files, I got empty output
> files (24 bytes) instead. I'm not sure if it was due to the large file size.
>
> As for replying to old threads, I'm sorry about that. I didn't know I was
> doing that, because I was posting only from emails. I thought I just needed
> to send to wireshark-users () wireshark org (using my old posts so I could
> reference the email address) and a new thread would be created. I'll be sure
> not to do that again the next time I post a new thread. Sorry!
>
> ________________________________
> From: Christopher Maynard <Christopher.Maynard () gtech com>
> To: wireshark-users () wireshark org
> Sent: Tuesday, June 11, 2013 12:30 PM
>
> Subject: Re: [Wireshark-users] Running tshark on large pcap files
>
> Anders Broman <a.broman@...> writes:
>
> >    Possible workarounds:
> >    - Use editcap to split the files to more manageable chunks of say 1
> >    - 2 GiB.
> >    - turn off TCP reassembly and all protocols you see above TCP/UDP
> >    I don't know if the MPLS dissector has any memory consuming features
> >    tunable by preferences. Your best bet i s probably editcap, you can
> >    splice the resulting files back together with mergecap should you
> >    need it.
>
> Another possibility is splitcap: http://www.netresec.com/?page=SplitCap.
> - Chris
>
> P.S. This entire thread is buried on page 3 of the gmane archives under the
> 30 May 2013 12:09 thread entitled, "Editcap 1.2.15 not working", which
> itself is incorrectly threaded under the 30 Jan 2013 11:11 thread entitled,
> "Understanding SMB flow in Wireshark", all of which were started by Rayne.
> Please start a new message/thread instead of replying to old threads and
> changing the subject line.
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
>
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>
> mailto:wireshark-users-request () wireshark org?subject=unsubscribe



-- 
blog: http://www.netresec.com/?page=Blog
twitter: http://twitter.com/netresec
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe