Working with large PCAPs
Recently I helped troubleshoot a networking issue with a 1Gbps link that was being fully saturated. In the end we configured a mirror port and dumped the traffic to analyse it. We ended up with >1000, 100MB files covering a half hour window. I was not sure what to do with such a quantity of data ~100GB and in the end we looked at a few caps and found the issue. However I could not help but feel that because most of the caps only covered a few seconds that I was not really looking at the full picture.