Re: Compressed capture?

[Darren Tay <gluino () gmail com>]

On 30 April 2010 17:38, Jakub Zawadzki <darkjames () darkjames ath cx> wrote:

> tshark can't compress trafic (it can only compress already existsing
> capture files),
> I think you need:
>
> # dumpcap -f 'port 25' -w - | gzip - -f > capfile.pcap.gz
> or (better comppression but wireshark don't have support for lzma)
> # dumpcap -f 'port 25' -w - | xz - -f > capfile.pcap.xz
Thanks, I'm using the gzip one, since I need Wireshark to read it.

Since I don't have a good way to load test it, except with production
traffic later next week, I have another question:
During heavy port 25 traffic, bulk (legit) email newsletter, is doing the
gzip arrangement above likely to help minimize dropped packets? or is the
plain tshark / tcpdump expected to cope better with heavy traffic?

Also could you explain (or point me to an explanation of) the syntax you've
given, mainly the lone minus-signs, before the pipe and after the "gzip".

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe