I have need to run captures for a protracted period of time to try and catch an elusive problem. I need to be able to set capture filters for two IP hosts and I want to span multiple files, changing every 4 hours and I would like to be able to leave this running for several days without manual intervention. I've been using Wireshark and have hit the "End of Memory" bug a few times now... The instructions for DUMPCAP are not terribly intuitive. Is there a "Quick Reference" for dumpcap with sample commands to do specific sorts of tasks? I could try and hack my way thru this, but I'm hoping there is an easier way... I just lack the time to become a dumpcap specialist and meet my current deadlines. asked 13 Sep '11, 08:11  NCPman edited 13 Sep '11, 09:00  helloworld |
2 Answers:
Run $ dumpcap -h or see the man-page for more information. answered 13 Sep '11, 08:36  joke |
If by "the instructions for DUMPCAP are not terribly intuitive" you mean the instructions you get when you click on Help > Manual Pages > Dumpcap, well, that is the quick reference. Everything you want to do is listed there. First, run "dumpcap -D" to get a list of the interfaces on your system. You'll want these options: -i n Where 'n' is the number of the interface you want to capture on. -b duration:14400 To specify that dumpcap should start a new file after four hours (14400 seconds). -f "ip host 192.168.1.1 or ip host 192.168.10.10" To specify a capture filter for two IP hosts. -w filename.pcap To specify the base filename for your capture files. So, putting it all together, you'll have something like: dumpcap -i 1 -b duration:14400 -f "ip host 192.168.1.1 or ip host 192,168.10.10" -w filename.pcap It sounds like you already are able to do this in the GUI, but you run into End of Memory errors. Four hours is a long time to capture on a busy network. Perhaps you could do this successfully from the GUI if you shortened the time interval so that the amount of data Wireshark has to keep in memory at one time is smaller. answered 13 Sep '11, 08:50  Jim Aragon 2
Uh, actually, Wireshark (the GUI) does not free up state (i.e., memory) each time a new file is opened when using multiple files. Update: I'm wrong: state is freed up each time a new file is opened when using multiple files. Dumpcap with multiple files is the way to go when doing extended captures. (13 Sep '11, 09:30) Bill Meier ♦♦ I didn't know that. What determines how much memory Wireshark (GUI) uses? Even though Wireshark doesn't fee up memory when you start a new file, doesn't it re-use the memory that has already been allocated, and doesn't it have to allocate less memory if you start a new file sooner rather than later? If you use the multiple files option and start a new file every 10,000 packets, will that use less memory than if you start a new file every 50,000 packets? I agree that dumpcap is the way to go for extended captures. (13 Sep '11, 12:03) Jim Aragon Wireshark (and tshark) accumulate "dissection state information" as they dissect input data (depending upon the protocol, things like "re-assembled" data, "conversation" information, and so on). This happens independently of how the input may have been broken up into multiple files. See OutOfMemory for more details. Update: I should have read the link myself; My statement above is incorrect. (14 Sep '11, 12:22) Bill Meier ♦♦ I read the "Known Bugs - Out of Memory" page linked to above. It certainly implies that splitting the capture into smaller files will help. Under "Workaround(s)" it states: "If you encounter problems that Wireshark is running out of memory, you can do the following:" "Split the capture file into several smaller ones. This can be done while capturing using the 'Use multiple files' setting in the capture options, or using the editcap command line tool. Switching to a new file while capturing won't release all memory (some memory leaks currently remain), but it will release a lot of it." (14 Sep '11, 19:16) Jim Aragon Oops: I got this one completely wrong. Wireshark does clear saved state for each new file when capturing to multiple files. Jim: Thanks ... (15 Sep '11, 07:39) Bill Meier ♦♦ |
The manual page could use an Examples section.