Is there a maximum file size for pcap-files?

I was wondering if there are any limits on how big a pcap-file can be? According to a user on the spiceworks forums the limit is generally 1/10 of the local computers RAM. Is this true?

No, that statement is not correct. PCAP files can have any size, but Wireshark has some limits loading them. This doesn't depend only on file size, but also on what's in the file. E.g. if there is a lot of protocols (like TCP) where Wireshark keeps a lot of state/expert/symptom/association information, you'll run out of memory much sooner. So you may be able to load a 2 GByte file in one situation, while you can't in another, depending on what was captured.

In general you should think of Wireshark as a microscope - it can show the greatest detail possible, but it's not really made for huge chunks of stuff moved under the lens.

I see, so Wireshark could potentially load a 10gb file, but might run into trouble depending on the information and amount of protocols presented in the file?

khans3 gravatar imagekhans3 ( 2018-03-31 12:19:24 +0000 )edit

Yes, and it might take a long time to load, too.

Jasper gravatar imageJasper ( 2018-03-31 15:21:15 +0000 )edit

