First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Wireshark stops capturing almost an hour

  • retag add tags

Hello There,

I am capturing packet while mirroring traffic of a port, used to connect Freepbx server. I noticed that after lldp message, the capture stops for almost one hour, and during this period the issue I am troubleshooting, micro blanks during the calls, happens.

Any idea why it stops capturing. please, be informed that the lldp advertisements have been sent many times before the one that is followed by capture break.

Thanks a lot.

otman's avatar
1
otman
asked 2022-06-10 15:16:58 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

Two options come to mind.

  1. Search for "Long term capture" and "dumpcap" for tips on capture sessions like this. Your server could have been overloaded.
  2. If your switch was overloaded it could be that packet mirroring was dropped, as low priority feature.
Jaap's avatar
13.7k
Jaap
answered 2022-06-10 18:03:35 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Hello,

Thanks for your support. I don t undersrand why dumpcap is not recognized by mac os z shell. I can see it when I go on app/wireshark/content/macos directory.

otman's avatar otman (2022-06-13 19:26:37 +0000) edit
more
  • delete

Simply because it's not on your PATH. The installer contains information about that, see here.

Jaap's avatar Jaap (2022-06-14 05:52:11 +0000) edit
more
  • delete

The installer contains information about that, see here.

Unfortunately "here" doesn't mention "Add Wireshark to the system path.pkg" by name, or give any details about it, just referring to a "system path" package, although it does mention "Install ChmodBPF.pkg" by name, indicating what it does. That part of the User's Guide could use a bit of a cleanup; it should either give enough details to duplicate what's in the "Read me first.html" file or should just point the user to that file.

Guy Harris's avatar Guy Harris (2022-06-15 07:09:13 +0000) edit
more
  • delete

Hello,

I could add it to my PATH environment value and then it worked. On the other hand, if you can help, I noticed. on the switch log file, that the port I am using as destination went off when capturing stopped. Do you think the switch was over loaded or the server ? If it is the first case, the switch should continue to prioritize voice traffic, as set, and we should do not experience the degradation and the breaks up of the line. And if the second case, why the switch turn the mirroring off if only the server that was overloaded ? Thanks for your support.

otman's avatar otman (2022-06-17 10:52:39 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer