Any wireshark utilities such as tshark & editcap, are unable to read
large files. When using wireshark package to monitor live package, it
may be necessary to read files that are many giga bytes. Upon
investigating the code, I find that a eth_open function call is made::
wiretap/file_access.c: wth->fd = eth_open(filename,
O_RDONLY|O_BINARY, 0000 /* no creation so don't matter */);
With mindset on linux system, this function would call the open(..)
function. It seems that including O_LARGEFILE added as an 'or' in the
flags argument (ie the 2nd argument in the eth_open(..)) would help::::
wth->fd =
eth_open(filename, O_RDONLY|O_BINARY| O_LARGEFILE, 0000)
Alternative, option is to rewrite this code with a call to
fopen(filename,"r") instead of using open(..). Tcpdump using libpcap
which calls fopen(..) has no issue dealing with large files.
I am new to wireshark development community. What is the next step in
creating a defect and scheduling a fix in a future wireshark version?
Thanks.
_______________________________________________
Wireshark-dev mailing list
[email protected]
https://wireshark.org/mailman/listinfo/wireshark-dev
