I don't know whether or not this has been fixed, but I found that I had to recompile tcpslice and/or tcpdump to deal with files larger than 4 gig (or maybe 2 gig). I suppose it's a better situation than wireshark. After a few million packets, it falls over because it makes the widgets in the scroller window for every packet in the file that's visible with the current filter. The memory from these widgets gets big fast. On a 64 bit machine ... you can analyze a larger file --- and suck down a lot of swap... but on a 32 bit machine, you run out of address space quickly.
On Tue, Nov 18, 2008 at 4:41 PM, David Wolfskill <[EMAIL PROTECTED]>wrote: > [Cross-post to -questions elided, since I saw the message on -stable, > and I'd like to discourage gratuitous cross-posting. dhw] > > On Tue, Nov 18, 2008 at 07:30:39PM -0200, Eduardo Meyer wrote: > > Hello, > > > > I have a kind big tcpdump file, which has data from the last week. I > > want to dump information based on date. Can I do it without generating > > a full output and later parse the headers? > > See the port net/tcpslice. > > Here's an excerpt from its man page: > > DESCRIPTION > Tcpslice is a program for extracting portions of packet-trace > files > generated using tcpdump(l)'s -w flag. It can also be used to > merge > together several such files, as discussed below. > ... > There are a number of ways to specify times. The first is using > Unix > timestamps of the form sssssssss.uuuuuu (this is the format > specified > by tcpdump's -tt flag). For example, 654321098.7654 specifies 38 > sec- > onds and 765,400 microseconds after 8:51PM PDT, Sept. 25, 1990. > > > ... > > Peace, > david > -- > David H. Wolfskill [EMAIL PROTECTED] > Depriving a girl or boy of an opportunity for education is evil. > > See > http://www.catwhisker.org/~david/publickey.gpg<http://www.catwhisker.org/%7Edavid/publickey.gpg>for > my public key. > _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
