Mitel Forums - The Unofficial Source
Mitel Forums => SIP On Mitel => Topic started by: pmhaynes on December 04, 2019, 04:43:16 AM
-
I recently had a need to open a 30gb pcap file.
The usual intermitant call issues so i had to start a new trace everyday so the file didnt get to large
Well sods law, the issue happens over the weekend so the pcap file had reached 30gb
trying to open that size file in wiresahrk caused it to crash
Even if it did open wireshark, it would be incredably slow
As we knew the time and date when the issue occured we wanted to filter the capture to that period
But as i could not open the file, i could not filter it
some googling later i found EDITCAP
command line utilitly built in to wireshark that allows you to do many things including extrating a time period from a pcpa file
here is my post on it
http://phonesystemhelp.info/how-to-edit-large-wireshark-files-with-editcap/ (http://phonesystemhelp.info/how-to-edit-large-wireshark-files-with-editcap/)
hope someone finds it useful when fault finding sip issues
P.S i know i can use the "port 5060" command to only capture signalling but i needed the voice packets in this instance
P :)
-
Thanks for sharing.
I do find your blog posts useful. Very handy.
-
If I am running a capture over any period of time I typically run the command line - tshark and use options for how big to make each capture and how many to keep.
ie 200 50meg files
-b filesize:51200 -b files:200
https://www.wireshark.org/docs/man-pages/tshark.html
(https://www.wireshark.org/docs/man-pages/tshark.html)
-
Thanks for this info
-
If I am running a capture over any period of time I typically run the command line - tshark and use options for how big to make each capture and how many to keep.
ie 200 50meg files
-b filesize:51200 -b files:200
https://www.wireshark.org/docs/man-pages/tshark.html
(https://www.wireshark.org/docs/man-pages/tshark.html)
Thank you for the info. i will definitely take alook. I do seem to be RTM more as i get older :)
Can't run this on the Mitel linux servers but definaltey useful for other servers.
Let me know if im wrong
Thanks again
-
If I am running a capture over any period of time I typically run the command line - tshark and use options for how big to make each capture and how many to keep.
ie 200 50meg files
-b filesize:51200 -b files:200
https://www.wireshark.org/docs/man-pages/tshark.html
(https://www.wireshark.org/docs/man-pages/tshark.html)
Thank you for the info. i will definitely take alook. I do seem to be RTM more as i get older :)
Can't run this on the Mitel linux servers but definaltey useful for other servers.
Let me know if im wrong
Thanks again
tcpdump can also write multiple files.
e.g. To run a tcpdump 20MB files max 50 files overwriting oldest.
tcpdump -i any -n -s0 -C 20 -W 50 -Z root -w capture.pcap
-
If I am running a capture over any period of time I typically run the command line - tshark and use options for how big to make each capture and how many to keep.
ie 200 50meg files
-b filesize:51200 -b files:200
https://www.wireshark.org/docs/man-pages/tshark.html
(https://www.wireshark.org/docs/man-pages/tshark.html)
Thank you for the info. i will definitely take alook. I do seem to be RTM more as i get older :)
Can't run this on the Mitel linux servers but definaltey useful for other servers.
Let me know if im wrong
Thanks again
tcpdump can also write multiple files.
e.g. To run a tcpdump 20MB files max 50 files overwriting oldest.
tcpdump -i any -n -s0 -C 20 -W 50 -Z root -w capture.pcap
Excellant. I did use tcpdump on the older versions. did not know it could do that though. I will give it a go thank you.
Think i may have to add mount a network share to save the files to as well.
Thanks for your help
Paul