 | 1 | initial version |
Here are a few pointers to be aware of.
First of all your capture setup. If you know a little networking you are aware of the fact that the equipment is optimized to send traffic only there where it needs to be. This makes capturing 'the network' somewhat tricky. A good switch with monitor port is invaluable. But other options are available, depending on the exact layout of the network. See this page for some suggestions.
Then you look into 'long term' capture. This is a somewhat different subject than packet dissection, the stuff that Wireshark does. Wireshark doesn't capture itself, it uses dumpcap for that. When you use Wireshark to capture it is actually capture and dissection. This costs a lot of (memory) resources, eventually crashing Wireshark. Going with dumpcap directly allows you to prevent this problem.
Also long term capture doesn't mean you have to capture everything, you know what you are looking for. The capture engine has a powerful capture filter which should allow you to grab only the relevant traffic and drop the rest, vastly limiting disk usage on long term capture. Also you could choose to limit the amount of packet data you capture, keeping the vital addressing information.
This is as far as I can go. Good luck.
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
