Wireshark stops capturing almost an hour

asked 2022-06-10 15:16:58 +0000

otman gravatar image

I am capturing packet while mirroring traffic of a port, used to connect Freepbx server. I noticed that after lldp message, the capture stops for almost one hour, and during this period the issue I am troubleshooting, micro blanks during the calls, happens.

Any idea why it stops capturing. please, be informed that the lldp advertisements have been sent many times before the one that is followed by capture break.

answered 2022-06-10 18:03:35 +0000

Jaap gravatar image

Two options come to mind.

  1. Search for "Long term capture" and "dumpcap" for tips on capture sessions like this. Your server could have been overloaded.
  2. If your switch was overloaded it could be that packet mirroring was dropped, as low priority feature.
Thanks for your support. I don t undersrand why dumpcap is not recognized by mac os z shell. I can see it when I go on app/wireshark/content/macos directory.

otman gravatar imageotman ( 2022-06-13 19:26:37 +0000 )edit

Simply because it's not on your PATH. The installer contains information about that, see here.

Jaap gravatar imageJaap ( 2022-06-14 05:52:11 +0000 )edit

The installer contains information about that, see here.

Unfortunately "here" doesn't mention "Add Wireshark to the system path.pkg" by name, or give any details about it, just referring to a "system path" package, although it does mention "Install ChmodBPF.pkg" by name, indicating what it does. That part of the User's Guide could use a bit of a cleanup; it should either give enough details to duplicate what's in the "Read me first.html" file or should just point the user to that file.

Guy Harris gravatar imageGuy Harris ( 2022-06-15 07:09:13 +0000 )edit


I could add it to my PATH environment value and then it worked. On the other hand, if you can help, I noticed. on the switch log file, that the port I am using as destination went off when capturing stopped. Do you think the switch was over loaded or the server ? If it is the first case, the switch should continue to prioritize voice traffic, as set, and we should do not experience the degradation and the breaks up of the line. And if the second case, why the switch turn the mirroring off if only the server that was overloaded ? Thanks for your support.

otman gravatar imageotman ( 2022-06-17 10:52:39 +0000 )edit

Asked: 2022-06-10 15:16:58 +0000

Seen: 109 times

Last updated: Jun 17 '22