 | 1 | initial version |
The problem is that, even by sending only one VLAN data, it is the core switch and the amount of data is tremendous, so the PC RAM cannot handle a capture that last more than 2 minutes.
In no place does any program in the Wireshark suite store raw packet data in memory without writing it to a file. Dumpcap always writes packets to a file; both Wireshark and TShark run dumpcap to do the capturing and read packets from the file to which dumpcap is writing.
Wireshark and TShark do, however, keep some information about all the packets in memory, even though they don't keep the raw packet data in memory; Wireshark, and TShark if it's doing 2-pass processing, will keep a table of packets, storing some packet information including the offset in the file at which the packet record appears, and will keep the contents of reassembled packets.
Dumpcap or tcpdump can be used to write packets to a file, although they will pass through memory on the way to the file even though they won't be kept permanently in the dumpcap/tcpdump address space.
