compressing / reading lz4

I'm on Ubuntu 19.10.

I have a pcap file x.pcap which i can evaluate using tshark -r x.pcap

I want to work with compressed pcap files.

I do lz4 x.pcap. Trying to evaluate with tshark -r x.pcap.lz4 fails with "tshark: The file "x.pcap.lz4" isn't a capture file in a format TShark understands."

tshark -v shows version "TShark (Wireshark) 3.0.5 (Git v3.0.5 packaged as 3.0.5-1)" and lists "with zlib 1.2.11"

Only gzip compressed files are supported.

https://www.wireshark.org/docs/man-pa...

-r|--read-file <infile>
Read packet data from infile, can be any supported capture file format (including gzipped files).

https://www.wireshark.org/docs/man-pa...

There is no need to tell Wireshark what type of file you are reading; it will determine the file type by itself. Wireshark is also capable of reading any of these file formats if they are compressed using gzip. Wireshark recognizes this directly from the file; the '.gz' extension is not required for this purpose.

Chuckc

answered 2020-05-11 06:44:43 +0000

edit flag offensive 0 remove flag delete link

Comments

I felt pretty sure, support for lz4 amongst a few others was indicated on some webpage / commit since some early 3.0x version. Must have been some protocol compression support then.

Bummer, gzip compresses too slow for our use case.

Thanks.

msi (2020-05-11 07:13:43 +0000) edit

Yes, it looks like some dissectors use it: Commits mentioning lz4

Chuckc (2020-05-11 14:13:08 +0000) edit

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

compressing / reading lz4 edit

Comments

1 Answer

Comments