Wireshark-users: Re: [Wireshark-users] Can I get Wireshark to capture constantly, but not count t
From: Phil Paradis <Phil.Paradis@xxxxxxxxxxxxxx>
Date: Mon, 23 Aug 2010 15:25:11 -0700
If you're going to run continuously, I'd suggest using dumpcap, rather than Wireshark. Dumpcap merely captures the data, without trying to analyze it, so it doesn't need large amounts of memory to store state information.

You can configure a capture to use a ring buffer of a fixed maximum size; that would probably be better than simply erasing everything periodically, as it would guarantee some amount of historical data so long as the capture is running.

If the capture needs to survive between user sessions/reboots, you coud set up dumpcap to run as a daemon (on *nix) or service (on Windows; you'll need srvany.exe from the resource kit tools) so that it will run in the background and auto-start after a reboot. 

Note that when using a ring buffer, the state data for the buffer is lost when dumpcap stops; when it restarts, a new buffer is created. As such, if you configure dumpcap to start automatically on boot, make sure you have a script set up to clean out the old files from prior sessions.

On Aug 23, 2010, at 4:00 PM, Gregorio Tomas Focaccio wrote:

> Hello,
> 
> I'm setting up a small development / study network and I would like Wireshark to be constantly capturing, aside from pauses to reconfigure.   I want Wireshark to capture N packets or N megabytes worth of data or for N minutes and then, when it reaches N+1, to clear everything but keep capturing starting with a clean slate.  Is this possible?
> 
> I'm worried that with default settings a continuous capture will overload the memory resources of the server.   Is there a way to define a maximum memory allocation for captured data?
> 
> Thanks,
> Greg
> <ATT00001..txt>

--
Phillip Paradis / Network Engineer / United Tote
Phone +1 502 509 7445 / Email phillip.paradis@xxxxxxxxxxxxxx