Re: Compressed capture?

[Jakub Zawadzki <darkjames () darkjames ath cx>]

Hi,

On Fri, Apr 30, 2010 at 12:17:00PM +0800, Darren Tay wrote:
> Specifically, I am giving:
>   tshark port 25 -w capfile.cap
>
> The documentation isn't very clear about compressed-mode capturing.
> I am concerned because I need to capture quite a large volume of traffic in
> order to track down the problem I am looking for.
> I am guessing anywhere in the region of about 500 Mbyte to 2 Gbyte, within 5
> hours.
>
> Will tshark work OK like this?
> Do I need to explicitly tell it to write in compressed mode?

tshark can't compress trafic (it can only compress already existsing capture files),
I think you need:

# dumpcap -f 'port 25' -w - | gzip - -f > capfile.pcap.gz
or (better comppression but wireshark don't have support for lzma)
# dumpcap -f 'port 25' -w - | xz - -f > capfile.pcap.xz

hth.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe