Ask Your Question
0

Send wireshark capture directly to a file

asked 2019-04-02 17:39:47 +0000

ERME gravatar image

updated 2019-04-02 17:41:56 +0000

Hi,

Is it possible to get the capture result sent directly to a file, without being cached in the RAM ?

I want to perform a capture for a customer, the PC will be connected to the core switch, and the only possible filter on the switch is to limit the data sent to one VLAN instead of all VLANs.

The problem is that, even by sending only one VLAN data, it is the core switch and the amount of data is tremendous, so the PC RAM cannot handle a capture that last more than 2 minutes. This is why we are looking for a way to send the capture data directly to the HD.

Hope you will be able to provide with a tip.

Have a nice week.

edit retag flag offensive close merge delete

3 Answers

Sort by ยป oldest newest most voted
0

answered 2019-04-03 06:18:12 +0000

Jaap gravatar image

If even dumpcap or tcpdump can't keep up with the packet rate more dedicated line-rate capture options come into view, i.e. ProfiShark or n2disk.

edit flag offensive delete link more
0

answered 2019-04-03 05:30:19 +0000

Guy Harris gravatar image

The problem is that, even by sending only one VLAN data, it is the core switch and the amount of data is tremendous, so the PC RAM cannot handle a capture that last more than 2 minutes.

In no place does any program in the Wireshark suite store raw packet data in memory without writing it to a file. Dumpcap always writes packets to a file; both Wireshark and TShark run dumpcap to do the capturing and read packets from the file to which dumpcap is writing.

Wireshark and TShark do, however, keep some information about all the packets in memory, even though they don't keep the raw packet data in memory; Wireshark, and TShark if it's doing 2-pass processing, will keep a table of packets, storing some packet information including the offset in the file at which the packet record appears, and will keep the contents of reassembled packets.

Dumpcap or tcpdump can be used to write packets to a file, although they will pass through memory on the way to the file even though they won't be kept permanently in the dumpcap/tcpdump address space.

edit flag offensive delete link more
0

answered 2019-04-02 18:11:27 +0000

cmaynard gravatar image

You can use dumpcap to essentially capture to a file (or ring buffer of files) forever. A ring buffer might be beneficial for long-term capturing to limit the number of files saved and the size of each file.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2019-04-02 17:39:47 +0000

Seen: 1,210 times

Last updated: Apr 03 '19