Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

It's very large, probably larger than the amount of memory you'll need to keep tshark running for that amount of traffic.

When working with volumes like these you have start to think about separating capture (the art of getting packets) and dissection (the art of interpreting packets). Capturing takes disk space (to write capture files), while dissection takes memory (to keep track of packet correlations). This state being build up takes increasing amount of memory. This is what happens it you use tshark for packet capture.

Since you're looking at dumping multi giga bytes of data look into dumpcap to handle your capture needs. If you can provide the disk space to store the capture files, you should be fine.