Wireshark mailing list archives

Re: Display dumpcap in real time

From: Chip <jeffschips () gmail com>
Date: Tue, 01 Nov 2011 17:19:34 -0400

On 11/1/2011 5:07 PM, Guy Harris wrote:

On Nov 1, 2011, at 1:51 PM, Chip wrote:

Okay great Guy, that's perfectly clear now.  I think I will go with tcpdump -S as really I am only caring about the 
connection information and not raw packet information.

Do you think tcpdump can hold up to running for hours capturing connection information without crashing a system 
because of memory usage?

(If your *system* crashes because of memory usage, you should complain to your operating system vendor. :-))

If you run with the "-n" flag, it will not map link-layer addresses, or network-layer addresses such as IP addresses, to host 
names; that will reduce the likelihood of tcpdump stalling temporarily while trying to resolve an address (thus reducing the likelihood 
that it'll drop packets), and will also mean it won't allocate memory to store those address/name pairs, reducing the amount of 
memory it consumes as it runs.

If you run with both -S and -n, it shouldn't consume memory as it runs.

In tcpdump can one a ring buffer feature like in dumpcap?

At least in newer versions of tcpdump:

        if you use the -C flag, you can specify a file size in megabytes (1,000,000 bytes, not 1,048,576 bytes), and tcpdump 
will switch files once they've gotten bigger than the specified size;

        if you use the -G flag, you can specify a time in seconds, and tcpdump will either discard the previous capture 
file after that number of seconds and start a new capture or switch to a new file after that number of seconds.


Thanks Guy, that's perfect information.

Have a great day!
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Display dumpcap in real time Chip (Nov 01)
- Re: Display dumpcap in real time Guy Harris (Nov 01)
  - Display dumpcap in real time Chip (Nov 01)
    - Re: Display dumpcap in real time Guy Harris (Nov 01)
    - Re: Display dumpcap in real time Chip (Nov 01)
    - Re: Display dumpcap in real time Guy Harris (Nov 01)
    - Re: Display dumpcap in real time Chip (Nov 01)
    - Re: Display dumpcap in real time Guy Harris (Nov 01)
- Re: Display dumpcap in real time Martin Visser (Nov 01)
  - Message not available
    - Re: Display dumpcap in real time Martin Visser (Nov 01)
    - Re: Display dumpcap in real time Chip (Nov 01)