I have a pcap file of size 16 GB and I am using the following tshark command tshark -T fields -n -r testbed.pcap -E separator=, -e ip.proto -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e frame.number -e frame.time_epoch -e tcp.flags.urg -e tcp.checksum_bad >file.txt" But after writing for only 222MB, tshark is closing. Please suggest how to write the entire content. Your help will be highly appreciated. Thank You PUGLU asked 19 Nov '13, 21:23  puglu |
One Answer:
As you have a 32 bit OS, the tshark process is limited to 2GB RAM, unless you have enabled 4GB tuning as detailed here, which will then allow tshark to use 3GB RAM. You'll also need to use a version of tshark that has the large memory address aware flag set in the executable, I don't know when we started doing that but a recent (1.10.x) version will be OK. If you have access to a 64 bit OS, then you can use the 64 bit version of tshark which will then be able to access most of the memory on the pc, even then this may not be enough to process all your capture in one go without splitting it. answered 20 Nov '13, 02:40  grahamb ♦ Thank you very much grahamb for the reply. i will try the tuning as well as download the latest version Thank you once again. (20 Nov '13, 03:37) puglu Refer also to Wireshark's OutOfMemory wiki page for more information on that topic. And for splitting the large 16GB file into smaller files, which ought to help avoid this situation, refer to the editcap man page. (20 Nov '13, 07:29) cmaynard ♦♦ Thank you cmaynard. I have done just that. i have split the file. (20 Nov '13, 19:57) puglu |
What verion of Wireshark/tshark are you using? tshark might be running out of memory 16GB is quite a big file you might need to split it in smaller pieces.
i am using wireshark-win32-1.6.8. i have tried the same tshark command for a 4 GB pcap also. it is giving the same result.
What is your OS and installed memory? As @Anders said, it's likely you are running out of memory.
4 GB RAM
I am using windows xp sp3, 32 bit