Perry Smith
2014-05-23 16:49:28 UTC
I am using the latest wireshark (1.10.7) on a Mac 10.8.5 and I have an oddity...
I have a big 600M pcap. I can load it up in wireshark and go to IO Graphs and I get graphs like you would expect.
I use editcap to split the file into pieces using -i. If I do -i 100, then I can not get an IO Graphs to display. The window comes up but there is no graph(s) drawn. If I do -i 10, then it works again. The final twist is if a friend loads up one of the pieces from the -i 100 split, it works for him.
The command is:
editcap -i 100.0 big.pcap small
To recap: editcap -i 100 on a Mac followed by using wireshark on a Mac does not show any IO Graphs while the same file works fine on another system (I think he had a windows box).
It appears small values of -i work while larger ones do not but I'm still doing some experimentation.
Am I perhaps doing something wrong?
Thank you for your help,
Perry
I have a big 600M pcap. I can load it up in wireshark and go to IO Graphs and I get graphs like you would expect.
I use editcap to split the file into pieces using -i. If I do -i 100, then I can not get an IO Graphs to display. The window comes up but there is no graph(s) drawn. If I do -i 10, then it works again. The final twist is if a friend loads up one of the pieces from the -i 100 split, it works for him.
The command is:
editcap -i 100.0 big.pcap small
To recap: editcap -i 100 on a Mac followed by using wireshark on a Mac does not show any IO Graphs while the same file works fine on another system (I think he had a windows box).
It appears small values of -i work while larger ones do not but I'm still doing some experimentation.
Am I perhaps doing something wrong?
Thank you for your help,
Perry