This article describes how to split large packet capture files on the Linux operating system.


This article describes how to split large packet capture files on the Linux operating system.


Occasionally, you get network packet traces that are too large for Wireshark to manage and you receive the following error message:

"Out Of Memory!
Sorry, but Wireshark has to terminate now!"

User-added image


Warning! This article contains content that is experimental and is not an officially supported Citrix solution. Citrix cannot guarantee that problems resulting from this implementation can be solved or supported. It is provided to you as an option that has not been fully tested. Use this at your own risk.

Complete one of the following options to split large packet capture files on the Linux operating system.

Option 1

An option to reduce the size of this file is to use a Perl script that is available for download from http://www.badpenguin.co.uk/files/pcap-util. This script can be used to extract packets from a specified time period (using the timestamp in the packet header) out of a huge dump file and copy them into a new file that should be much smaller and much easier and faster to analyze.

Alternatively you can use it to split the huge file into several smaller files of x MB each.

Option 2

It is also possible to use the libpcap filter language to extract packets from the source file as following: ??

pcap-util filter nstrace2.pcap before-trace.pcap "host and port 22"

This utility makes use of Net::Pcap module, which you can get from CPAN, or if you are on a Debian distribution such as Ubuntu, you can just "apt-get install libnet-pcap-perl".
A Fedora based system with yum can use “yum install perl-Net-Pcap.i386”.

User-added image
In this example, the file nstrace2.pcap is split into files with the prefix before_trace and the size of 500 MB.

User-added image

Issue the following command to obtain the preceding output:

# /home/etargonski/pcap-util.pl split nstrace2.pcap before_trace 500

 -rw-r--r-- 1 root root  497M 2008-11-07 12:52 before_trace.0.tcpdump -rw-r--r-- 1 root root  497M 2008-11-07 12:53 before_trace.1.tcpdump -rw-r--r-- 1 root root  497M 2008-11-07 12:54 before_trace.2.tcpdump -rw-r--r-- 1 root root  497M 2008-11-07 12:54 before_trace.3.tcpdump -rw-r--r-- 1 root root  277M 2008-11-07 12:54 before_trace.4.tcpdump

Now you will be able to open these files with no errors related to file size. The described script is also able to filter packets out from a specific time period and can filter packets using the libpcap filter language as stated:

 Extract packets from time period -------------------------------- /home/etargonski/pcap-util.pl time <infile> <outfile> <Start time> <End time>  Extract packets using libpcap filter language --------------------------------------------- /home/etargonski/pcap-util.pl filter <infile> <outfile> "libpcap filter string"

Additional Resources

Applicable Products


Join the conversation

Citrix Discussions

Open a case

Citrix Support