 | 1 | initial version |
Please note that disk-IO is the main factor in being able to successfully capture and save all packets. If you want to capture the same packets to multiple files, you will increase the IOPS needed to save all packets without any discards. So performance implication is you need more striped disks to be able to save the data multiple times.
You are better of using dumpcap directly (dumpcap is used by tshark to do the capture-to-disk). As there is nothing currently available in dumpcap to dynamically determine which file to save to (or even which files (multiple) to save to), you will need to run dumpcap multiple times. This will increase the memory footprint in some degree, but as no state is being kept by dumpcap, it is just the memory needed to run multiple instances of dumpcap.
CPU wise, multiple captures, each with a different capture filter, will impact the CPU as it needs to process each packet multiple times.
What is the use-case for this setup, compared to capturing everything to disk once and then do the filtering later?
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
