Compressed capture?

[Darren Tay <gluino () gmail com>]

Hi all, getting straight to the question...

I am relatively new, and am using tshark over SSH (on an outsourced
datacenter box, CentOS/RH), and then transferring the .cap file over to a
local box for review using the GUI.
Specifically, I am giving:
  tshark port 25 -w capfile.cap

The documentation isn't very clear about compressed-mode capturing.
I am concerned because I need to capture quite a large volume of traffic in
order to track down the problem I am looking for.
I am guessing anywhere in the region of about 500 Mbyte to 2 Gbyte, within 5
hours.

Will tshark work OK like this?
Do I need to explicitly tell it to write in compressed mode?

When capturing in compressed mode, is the compression done in a streaming
fashion or is it applied just once when capturing has ended?

Thanks!

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe