Opening Large Capture Files with WireShark (aka Ethereal)

Sometimes it might be needed to open ”’big”’ network traffic capture files (a.k.a. .cap) . This challenge is commonly encountered since this sort of logging it is usually very verbose. Leaving a packet sniffer (such as tcpdump) overnight logging all the packets that go through a network interface card might generate several gigs of data.

WireShark (formerly known as Ethereal) is an excellent open source packet sniffer with a nice user interface (GUI) and available for many different platforms.

According to WireShark’s documentation:

Wireshark uses memory to store packet meta data (e.g. conversation and fragmentation related data) and to display this info on the screen.

How much memory actually used is depending on:

  • the number of packets captured (well, depending on the capture duration and the network load on the line)
  • the kind of packets captured (small/large packets, some packet types will lead to much more memory usage than others)
  • the preference settings, e.g. the “TCP desegmentation” setting

In my experience (and with the capture files and Preference settings I’m usually working with), I need about ten times of memory than the actual capture file size. But again, this will largely depend on the things noted above.

Fortunately, WireShark includes a easy-to-use tool to manipulate capture files: editcap.

Editcap is able to do things like processing a huge capture file and extract the packet information that correspond to a certain period of time. This functionality is perfect if, let’s say, you have a 24 hours capture file and you know that problems were reported at a certain time. You could then extract a bunch of packets around that time, export this into a new file and open it using WireShark.

Editcap Usage

Usage: editcap [options] ...   [ [-] ... ]

A single packet or a range of packets can be selected.

Packet selection:
  -r                     keep the selected packets, default is to delete them
  -A         don't output packets whose timestamp is before the
                         given time (format as YYYY-MM-DD hh:mm:ss)
  -B          don't output packets whose timestamp is after the
                         given time (format as YYYY-MM-DD hh:mm:ss)
  -d                     remove duplicate packets

Packet manipulation:
  -s            truncate each packet to max.  bytes of data
  -C            chop each packet at the end by  bytes
  -t    adjust the timestamp of each packet,
                          is in relative seconds (e.g. -0.5)
  -E  set the probability (between 0.0 and 1.0 incl.)
                         that a particular packet byte will be randomly changed

Output File(s):
  -c   split the packet output to different files,
                         with a maximum of  each
  -F       set the output file type, default is libpcap
                         an empty "-F" option will list the file types
  -T         set the output file encapsulation type,
                         default is the same as the input file
                         an empty "-T" option will list the encapsulation types

Miscellaneous:
  -h                     display this help and exit
  -v                     verbose output

Editcap Example
This example extracts all the packet information corresponding to 4th July 2008, 6am to 7am and writes it into a new file, i.e.:

  • Source file: 2008-07-04_capture.cap (813 MB)
  • Destination file: 6to7.cap (48.5 MB)
editcap -A "2008-07-04 06:00:00" -B "2008-07-04 07:00:00" 2008-07-03_capture.cap 6to7.cap