Wireshark mailing list archives
Re: Compressed capture?
From: Darren Tay <gluino () gmail com>
Date: Fri, 30 Apr 2010 19:32:25 +0800
On 30 April 2010 17:38, Jakub Zawadzki <darkjames () darkjames ath cx> wrote:
tshark can't compress trafic (it can only compress already existsing capture files), I think you need: # dumpcap -f 'port 25' -w - | gzip - -f > capfile.pcap.gz or (better comppression but wireshark don't have support for lzma) # dumpcap -f 'port 25' -w - | xz - -f > capfile.pcap.xz
Thanks, I'm using the gzip one, since I need Wireshark to read it. Since I don't have a good way to load test it, except with production traffic later next week, I have another question: During heavy port 25 traffic, bulk (legit) email newsletter, is doing the gzip arrangement above likely to help minimize dropped packets? or is the plain tshark / tcpdump expected to cope better with heavy traffic? Also could you explain (or point me to an explanation of) the syntax you've given, mainly the lone minus-signs, before the pipe and after the "gzip".
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Compressed capture? Darren Tay (Apr 29)
- Re: Compressed capture? Jakub Zawadzki (Apr 30)
- Re: Compressed capture? Darren Tay (Apr 30)
- Re: Compressed capture? Jakub Zawadzki (Apr 30)