This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

record in wireshark

0

hello,

I have a problem with a server. I want to see the traffic on the sever in 4:00 a.m. until 5:00 a.m. I use in port mirror in cisco switch becasuse I can't use in wireshark on the server. When I use wireshark a lot of time the software stop (not respond).

How I can to record the traffic in specific time?

thanks...

asked 16 Aug '13, 01:16

ron1990's gravatar image

ron1990
1111
accept rate: 0%

One Answer:

1

Wireshark may be stopping because it is out of memory. This is a known problem when capturing large amounts of data. Instead of using Wireshark (or tshark), use dumpcap which only creates capture files and doesn't do any parsing and then use Wireshark on the output files. I say files because dumping all the data into a single file may still be too big for Wireshark to handle.

You can use dumpcap with the -a duration parameter to set the capture time length, e.g. -a duration:3600 for a total capture time of 1 hour and the -b filesize: parameter to set the individual capture file length, e.g. -b filesize:100000 to have 100MB files.

answered 16 Aug '13, 02:05

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%