Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Can I get Wireshark to capture constantly, but not count to infinity ?

From: Phil Paradis <Phil.Paradis () unitedtote com>
Date: Mon, 23 Aug 2010 15:25:11 -0700
If you're going to run continuously, I'd suggest using dumpcap, rather than Wireshark. Dumpcap merely captures the 
data, without trying to analyze it, so it doesn't need large amounts of memory to store state information.

You can configure a capture to use a ring buffer of a fixed maximum size; that would probably be better than simply 
erasing everything periodically, as it would guarantee some amount of historical data so long as the capture is running.

If the capture needs to survive between user sessions/reboots, you coud set up dumpcap to run as a daemon (on *nix) or 
service (on Windows; you'll need srvany.exe from the resource kit tools) so that it will run in the background and 
auto-start after a reboot. 

Note that when using a ring buffer, the state data for the buffer is lost when dumpcap stops; when it restarts, a new 
buffer is created. As such, if you configure dumpcap to start automatically on boot, make sure you have a script set up 
to clean out the old files from prior sessions.

On Aug 23, 2010, at 4:00 PM, Gregorio Tomas Focaccio wrote:


Hello,

I'm setting up a small development / study network and I would like Wireshark to be constantly capturing, aside from 
pauses to reconfigure.   I want Wireshark to capture N packets or N megabytes worth of data or for N minutes and 
then, when it reaches N+1, to clear everything but keep capturing starting with a clean slate.  Is this possible?

I'm worried that with default settings a continuous capture will overload the memory resources of the server.   Is 
there a way to define a maximum memory allocation for captured data?

Thanks,
Greg
<ATT00001..txt>


--
Phillip Paradis / Network Engineer / United Tote
Phone +1 502 509 7445 / Email phillip.paradis () unitedtote com

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: