Wireshark mailing list archives
Re: Compressed capture?
From: Darren Tay <gluino () gmail com>
Date: Tue, 4 May 2010 13:07:04 +0800
I am using: /usr/sbin/dumpcap -f 'port 25' -w - | gzip - -f > p25-03.cap.gz Seems to be OK, except the .cap.gz file is opened in WireShark GUI, I get a warning: "The capture file appears to have been cut short in the middle of a packet." I had terminated it the job using CTRL-C. Is there some other way to stop the capture and gzip cleanly? Otherwise, I don't think it's a big deal to me, if it only affects the last packet in the file. On 30 April 2010 19:32, Darren Tay <gluino () gmail com> wrote:
On 30 April 2010 17:38, Jakub Zawadzki <darkjames () darkjames ath cx> wrote:tshark can't compress trafic (it can only compress already existsing capture files), I think you need: # dumpcap -f 'port 25' -w - | gzip - -f > capfile.pcap.gz or (better comppression but wireshark don't have support for lzma) # dumpcap -f 'port 25' -w - | xz - -f > capfile.pcap.xzThanks, I'm using the gzip one, since I need Wireshark to read it. Since I don't have a good way to load test it, except with production traffic later next week, I have another question: During heavy port 25 traffic, bulk (legit) email newsletter, is doing the gzip arrangement above likely to help minimize dropped packets? or is the plain tshark / tcpdump expected to cope better with heavy traffic? Also could you explain (or point me to an explanation of) the syntax you've given, mainly the lone minus-signs, before the pipe and after the "gzip".
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Re: Compressed capture? Darren Tay (May 03)
- Re: Compressed capture? Jakub Zawadzki (May 04)