Ask Your Question
0

tshark packet counter maximum value

asked 2018-07-23 07:10:06 +0000

wbenton gravatar image

When using tshark to dump to large files (i.e. 1GBytes/file) and you want to capture several hundred gigabytes of data, what is the maximum packet counter value that tshark can handle?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-07-23 08:13:00 +0000

Jaap gravatar image

It's very large, probably larger than the amount of memory you'll need to keep tshark running for that amount of traffic.

When working with volumes like these you have start to think about separating capture (the art of getting packets) and dissection (the art of interpreting packets). Capturing takes disk space (to write capture files), while dissection takes memory (to keep track of packet correlations). This state being build up takes increasing amount of memory. This is what happens it you use tshark for packet capture.

Since you're looking at dumping multi giga bytes of data look into dumpcap to handle your capture needs. If you can provide the disk space to store the capture files, you should be fine.

edit flag offensive delete link more

Comments

I'm currently looking at the tshark packet counter and it shows 747,345,008 packets with 297,457 packets dropped!

What is the max value before tshark just dies?

wbenton gravatar imagewbenton ( 2018-07-24 00:38:01 +0000 )edit

Without having checked the code I expect the max packet count to be at least uint32_t, so 2^32 = 4,294,967,296. And it might as well simply roll over and start again from 0. Can't remember anyone who tested that though.

Jaap gravatar imageJaap ( 2018-07-24 04:44:59 +0000 )edit

That sounds about right. I just dug up a screen capture of the counter from a few months ago and it showed 1,953,747,894 and counting.

wbenton gravatar imagewbenton ( 2018-07-24 08:36:06 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-07-23 07:10:06 +0000

Seen: 1,030 times

Last updated: Jul 23 '18