Jay Levitt wrote: > On 12/22/2007 4:01 AM, Sake Blok wrote: >> On Fri, Dec 21, 2007 at 10:10:45PM -0700, Stephen Fisher wrote: >>> On Fri, Dec 21, 2007 at 10:00:54PM -0500, Jay Levitt wrote: >>> >>>> As far as I can tell from searching the forum, there's no good way to >>>> keep Wireshark up and running and capturing to an in-memory circular >>>> buffer, >>> Correct. >> But... Wireshark comes with a utility called 'dumpcap'. Although >> this utility does write to disk instead of memory, it does not >> keep session-information. This means that it doesn't hog your >> memory while capturing for long periods of time. I have a system >> running with dumpcap for a few weeks now, it has captured almost >> 2 billion packets by now in a ring buffer of 1024 files of 16MB. >> (and the laptop on which it is running is still happy :-) ). > > Could you expand on "does not keep session information"? I assumed that > the only difference between doing it with dumpcap and doing it within > Wireshark was the lack of a loaded GUI.
Wireshark is a multi-layered application. Below is a capture driver interfacing with the OS to get packets, aka libpcap. On top of that is the capture engine handling packet retrieval and storage, aka dumpcap. On top of that is the dissection engine, one text mode variant, aka tshark, and a GUI variant, aka wireshark. So running dumpcap to capture and store packets forgoes the dissection part, which can become processing and memory intensive. >> The syntax I used is: >> >> dumpcap -i <interface> -s 1518 -w <file.cap> -b filesize:16384 -b files:1024 >> >> How's that for catching an intermittent problem :-) > > That's pretty darn intermittent! :) Well, I've a similar setup running, started somewhere in June this year, and still going happily about its business, on the platform handling call control for a hospital. I _never_ would use wireshark for that, but dumpcap is ideal. Thanx, Jaap _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
