Ask Your Question

compressing / reading lz4

asked 2020-05-11 06:02:38 +0000

msi gravatar image

I'm on Ubuntu 19.10.

I have a pcap file x.pcap which i can evaluate using tshark -r x.pcap

I want to work with compressed pcap files.

I do lz4 x.pcap. Trying to evaluate with tshark -r x.pcap.lz4 fails with "tshark: The file "x.pcap.lz4" isn't a capture file in a format TShark understands."

tshark -v shows version "TShark (Wireshark) 3.0.5 (Git v3.0.5 packaged as 3.0.5-1)" and lists "with zlib 1.2.11"

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2020-05-11 06:44:43 +0000

Chuckc gravatar image

Only gzip compressed files are supported.

-r|--read-file <infile>
Read packet data from infile, can be any supported capture file format (including gzipped files).

There is no need to tell Wireshark what type of file you are reading; it will determine the file type by itself. Wireshark is also capable of reading any of these file formats if they are compressed using gzip. Wireshark recognizes this directly from the file; the '.gz' extension is not required for this purpose.
edit flag offensive delete link more


I felt pretty sure, support for lz4 amongst a few others was indicated on some webpage / commit since some early 3.0x version. Must have been some protocol compression support then.

Bummer, gzip compresses too slow for our use case.


msi gravatar imagemsi ( 2020-05-11 07:13:43 +0000 )edit

Yes, it looks like some dissectors use it: Commits mentioning lz4

Chuckc gravatar imageChuckc ( 2020-05-11 14:13:08 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2020-05-11 06:02:38 +0000

Seen: 776 times

Last updated: May 11 '20