 | 1 | initial version |
It's very large, probably larger than the amount of memory you'll need to keep tshark running for that amount of traffic.
When working with volumes like these you have start to think about separating capture (the art of getting packets) and dissection (the art of interpreting packets). Capturing takes disk space (to write capture files), while dissection takes memory (to keep track of packet correlations). This state being build up takes increasing amount of memory. This is what happens it you use tshark for packet capture.
Since you're looking at dumping multi giga bytes of data look into dumpcap to handle your capture needs. If you can provide the disk space to store the capture files, you should be fine.
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
