The code that handles packets from live captures is the same code that handles packets from capture files. During a live capture, dumpcap writes packets to a file that Wireshark or TShark has open, and, if it's written a batch of N packets to the file, sends Wireshark/TShark a message saying "I've just added N more packets", and Wireshark/TShark reads the next N packets from the file when it reads that message.
So presumably what you mean is "is there any way to have the packets show up as they're loaded if I'm reading a capture file, rather than waiting for the entire file to be read in before seeing any packets?"
It might be possible to change Wireshark's file-reading code to do that (I've seen Microsoft Word show similar behavior when reading a large document - the scrollbar changes as the file is being read, indicating that more text is available), although it's probably more than just a tweak, and it'd be best to make sure it doesn't slow down the process of reading the entire file too much.
Thank you Guy Harris for the feedback. It's clear now that packet handling is the same for live capture and capture files.
So presumably what you mean is "is there any way to have the packets show up as they're loaded if I'm reading a capture file, rather than waiting for the entire file to be read in before seeing any packets?" - Yes, this is a better way to put it.
It's nice to hear that its possible.
I agree that it best be sure to see if it might slow down with packet list pane updates. I can imagine viewing a capture file similarly with how a live capture populates the packet list pane.
Maybe this could be an optional read mode to pursue for users with large files.
Yes, use the GTK version of Wireshark. It allows you to interrupt the loading of large captures, a features that wasn't ported to the Qt interface AFAIK. But it won't help with other operations (filtering, etc. IIRC), which reloads the capture file, so is of limited use.
Another option is to use editcap to split the capture files into more manageable parts.
It allows you to interrupt the loading of large captures, a features that wasn't ported to the Qt interface AFAIK.
No, when the file is being read in, there's a progress bar in the status area at the bottom of the Wireshark window, with an [X] box next to it (it turns red when you hover over it) - click on the [X] and the read stops.
Thank you Jaap for the feedback. I've tried clicking on the [X] and the reading did stop. Thanks for the suggestion of editcap.
@Guy Harris Aha, so that's where it ended up. A more subtle UI element instead of a dialog.
Asked: 2017-12-12 02:52:13 +0000
Seen: 2,066 times
Last updated: Dec 12 '17
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
