wireshark-users October 2010 archive
Main Archive Page > Month Archives  > wireshark-users archives
wireshark-users: Re: [Wireshark-users] Wireshark (1.4.0) fails o

Re: [Wireshark-users] Wireshark (1.4.0) fails opening large file on Windows Vista 32-bit.

From: Jaap Keuter <jaap.keuter_at_nospam>
Date: Mon Oct 25 2010 - 13:36:05 GMT
To: Community support list for Wireshark <wireshark-users@wireshark.org>

Hi,

http://wiki.wireshark.org/KnownBugs/OutOfMemory [1]

Thanks,
Jaap

On Mon, 25 Oct 2010 12:02:32 +0200, Tamás Varga wrote:

Hi Wiresharkers,

Complementing my earlier mail, I have made a little
survey on the issue.
With editcap, I have split the file into two
parts, and it can be loaded:
 editcap -c 6000000
wa_00000_20100730043832.pcap wab.pcap

However, tshark.exe fails to
open the file, even in file-to-file mode with filter:
 tshark -r
wa_00000_20100730043832.pcap -w wac.pcap -R "ip.addr == 10.110.156.17"

Running capinfos.exe, yields negative file size:
C:Temp>capinfos
wa_00000_20100730043832.pcap
File name: wa_00000_20100730043832.pcap

File type: Wireshark/tcpdump/... - libpcap
File encapsulation:
Ethernet
Packet size limit: file hdr: 300 bytes
Packet size limit:
inferred: 300 bytes
Number of packets: 11697799
File size: -1855096401
bytes
Data size: 7220225590 bytes
Capture duration: 60 seconds
Start
time: Fri Jul 30 04:38:32 2010
End time: Fri Jul 30 04:39:32 2010
Data
byte rate: 119560482.40 bytes/sec
Data bit rate: 956483859.19
bits/sec
Average packet size: 617.23 bytes
Average packet rate:
193705.10 packets/sec
SHA1:
f3fea0286f21f5ce8543e960f95b72503c40c953
RIPEMD160:
e32e45c02492ecf54ffff0a1ff07bd895f70962e
MD5:
e18b4af9a612379a315780cfad7bd9df
Strict time order: False

With respect
to my earlier mail, I was about to open the file and press STOP to
prevent loading the entire file.
(I was not expecting to fit a >2GB
file into the user-space of 32-bit application). But the "Loading..."
window does not appear.

cheers,
 Tamas

-------------------------

FROM: wireshark-users-bounces@wireshark.org
[mailto:wireshark-users-bounces@wireshark.org] ON BEHALF OF Tamás
Varga
SENT: Monday, October 25, 2010 11:12
TO:
wireshark-users@wireshark.org
SUBJECT: [Wireshark-users] Wireshark
(1.4.0) fails opening large file on Windows Vista 32-bit.

Hi
Wiresharkers,

I have received a large PCAP file on NTFS filesystem of
size 2,439,870,895 bytes.
Opening the file yields the following error
message (after a long wating time):
GLib-ERROR **: gmem.c:136: failed
to allocate 4294967295 bytes aborting…

To open the file, is it worth
seeking for a 64-bit machine?
Is largefile support planned in any
32-bit versions of Wireshark?

cheers,
Tamas

 

Links:
------
[1]
http://wiki.wireshark.org/KnownBugs/OutOfMemory

___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@wireshark.org?subject=unsubscribe