So if you apply a filter in any way, Wireshark needs to read all packets again to check if they match the current filter condition. Each and every time, because Wireshark doesn’t keep packets in memory, except the one packet currently decoded and displayed. Each display filter you apply re-reads the whole file from disk. The developers worked hard on improving this, and you can now open files that you couldn’t a couple of years ago.īut the initial loading of a file isn’t the time-consuming part when you perform a packet analysis task – filtering is. It’s not so much that Wireshark can’t load the file – because it often can, at least the recent versions. But when I end up with files larger than that – sometimes more than 10GBytes in size – that won’t work anymore. I often setup my captures for file sizes of 128 or 256MBytes, because they are still “okay-ish” when opened in Wireshark – it takes some time to load and filter them, but it’s not too bad. So let’s see how we can still tackle both.įirst, let’s look at having only one huge file to deal with, which in my case starts at about above 256MBytes in size.
Two typical situations may have you scratch your head: either you have one huge file containing all packets at once, or you have a ton of small files that you need to look at. Sometimes it also happens during network troubleshooting engagements, but it is also common for analysis jobs regarding network forensics: dealing with huge number of packets, sometimes millions or more.
0 kommentar(er)
