On 12/22/2007 4:01 AM, Sake Blok wrote: > On Fri, Dec 21, 2007 at 10:10:45PM -0700, Stephen Fisher wrote: >> On Fri, Dec 21, 2007 at 10:00:54PM -0500, Jay Levitt wrote: >> >>> As far as I can tell from searching the forum, there's no good way to >>> keep Wireshark up and running and capturing to an in-memory circular >>> buffer, >> Correct. > > But... Wireshark comes with a utility called 'dumpcap'. Although > this utility does write to disk instead of memory, it does not > keep session-information. This means that it doesn't hog your > memory while capturing for long periods of time. I have a system > running with dumpcap for a few weeks now, it has captured almost > 2 billion packets by now in a ring buffer of 1024 files of 16MB. > (and the laptop on which it is running is still happy :-) ).
Could you expand on "does not keep session information"? I assumed that the only difference between doing it with dumpcap and doing it within Wireshark was the lack of a loaded GUI. > > The syntax I used is: > > dumpcap -i <interface> -s 1518 -w <file.cap> -b filesize:16384 -b files:1024 > > How's that for catching an intermittent problem :-) That's pretty darn intermittent! :) Jay _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
