Wireshark · Ethereal-users: RE: [Ethereal-users] Help automating Historical network capture-rollover

Ethereal-users: RE: [Ethereal-users] Help automating Historical network capture-rollover

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "David DuPre" <david@xxxxxxxxxxxxxxxx>

Date: Thu, 17 Nov 2005 11:00:30 -0500

You might consider capturing only partial packets.  Try some tests with capturing only the first 90bytes of each packet.
Then analyze it...if that isn't enough expand it to 180bytes, and check.
You might find that you only need the first XXX bytes of the 1500 byte packet to understand the problem you are
researching.  This could reduce the amount of data.

Another possible option is to only capture packets with a payload...so nothing smaller than XX bytes would be captured.
This could hide a network error though...

Hope that helps,

David

P.S.  I run Ethereal on Linux 24x7 capturing filtered traffic.  I set it up for unlimited rollover at a specific file
size.  Then if I need to analyze a certain part of a day I use the mergecap to put the files together and look at them
as one large file.



David DuPre'
Executive Performance Engineering Consultant
HyPerformix Inc.
Office: 706-820-2252
Email: dupre@xxxxxxxxxxxxxxx
Website: www.hyperformix.com


> -----Original Message-----
> From: ethereal-users-bounces@xxxxxxxxxxxx [mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of
> Cory Perry (SNL:434-951-7463)
> Sent: Thursday, November 17, 2005 9:36 AM
> To: ethereal-users@xxxxxxxxxxxx
> Subject: [Ethereal-users] Help automating Historical network capture-rollover
>
>
>
> I am looking for a way to historically keep about 2 weeks of traces for
> troubleshooting network issues.
>
> I've tried to use Ring Buffer to rollover after what I expect 2 weeks
> capturing will require, but option seems to be limited to 1024 max no
> matter what is set.
>
> I am currently testing tethereal under windows environment. I am
> utilizing Windows Folder compression support to reduce data size and
> files size of 300000 KB. 1024 files gets me about 292 GB uncompresses
> (180 GB Compressed) in about 50 hours, about 11.5 days short of planned
> requirement.
>
> If anyone has done something similar in windows or Unix (Freebsd is my
> preferred Unix solution).
>
> Some of the issue I am working with.
>
> 300000 KB painfull to work with, and with 1024 limitation that will have
> to be much larger. ;)
> Compression, only have 1.6 TB for storage/rollover.
> Data easily accessible from Windows environment for non-unix users.
> Automated, I am forgetful and server could be rebooted for patches by
> other support peolple.
> Need full capture, can't filter. Don't know what might be needed.
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users

References:
- [Ethereal-users] Help automating Historical network capture-rollover
  - From: Cory Perry (SNL:434-951-7463)

Prev by Date: Re: [Ethereal-users] ASCII Dump?
Next by Date: [Ethereal-users] 3rd party capture
Previous by thread: [Ethereal-users] Help automating Historical network capture-rollover
Next by thread: [Ethereal-users] ss7 monitoring query
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$