compressing / reading lz4

asked 2020-05-11 06:02:38 +0000

msi
3 ●1 ●1

I'm on Ubuntu 19.10.

I have a pcap file x.pcap which i can evaluate using tshark -r x.pcap

I want to work with compressed pcap files.

I do lz4 x.pcap. Trying to evaluate with tshark -r x.pcap.lz4 fails with "tshark: The file "x.pcap.lz4" isn't a capture file in a format TShark understands."

tshark -v shows version "TShark (Wireshark) 3.0.5 (Git v3.0.5 packaged as 3.0.5-1)" and lists "with zlib 1.2.11"

answered 2020-05-11 06:44:43 +0000

Chuckc
2808 ●5 ●566 ●19

Only gzip compressed files are supported.

https://www.wireshark.org/docs/man-pa...

-r|--read-file <infile>
Read packet data from infile, can be any supported capture file format (including gzipped files).

https://www.wireshark.org/docs/man-pa...

There is no need to tell Wireshark what type of file you are reading; it will determine the file type by itself. Wireshark is also capable of reading any of these file formats if they are compressed using gzip. Wireshark recognizes this directly from the file; the '.gz' extension is not required for this purpose.

edit flag offensive delete link

Comments

I felt pretty sure, support for lz4 amongst a few others was indicated on some webpage / commit since some early 3.0x version. Must have been some protocol compression support then.

Bummer, gzip compresses too slow for our use case.

Thanks.

msi ( 2020-05-11 07:13:43 +0000 )edit

Yes, it looks like some dissectors use it: Commits mentioning lz4

Chuckc ( 2020-05-11 14:13:08 +0000 )edit

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

compressing / reading lz4

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

compressing / reading lz4 edit

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

compressing / reading lz4