First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Send wireshark capture directly to a file

Hi,

Is it possible to get the capture result sent directly to a file, without being cached in the RAM ?

I want to perform a capture for a customer, the PC will be connected to the core switch, and the only possible filter on the switch is to limit the data sent to one VLAN instead of all VLANs.

The problem is that, even by sending only one VLAN data, it is the core switch and the amount of data is tremendous, so the PC RAM cannot handle a capture that last more than 2 minutes. This is why we are looking for a way to send the capture data directly to the HD.

Hope you will be able to provide with a tip.

Have a nice week.

ERME's avatar
1
ERME
asked 2019-04-02 17:39:47 +0000, updated 2019-04-02 17:41:56 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

3 Answers

0

You can use dumpcap to essentially capture to a file (or ring buffer of files) forever. A ring buffer might be beneficial for long-term capturing to limit the number of files saved and the size of each file.

cmaynard's avatar
11.1k
cmaynard
answered 2019-04-02 18:11:27 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments
0

The problem is that, even by sending only one VLAN data, it is the core switch and the amount of data is tremendous, so the PC RAM cannot handle a capture that last more than 2 minutes.

In no place does any program in the Wireshark suite store raw packet data in memory without writing it to a file. Dumpcap always writes packets to a file; both Wireshark and TShark run dumpcap to do the capturing and read packets from the file to which dumpcap is writing.

Wireshark and TShark do, however, keep some information about all the packets in memory, even though they don't keep the raw packet data in memory; Wireshark, and TShark if it's doing 2-pass processing, will keep a table of packets, storing some packet information including the offset in the file at which the packet record appears, and will keep the contents of reassembled packets.

Dumpcap or tcpdump can be used to write packets to a file, although they will pass through memory on the way to the file even though they won't be kept permanently in the dumpcap/tcpdump address space.

Guy Harris's avatar
19.9k
Guy Harris
answered 2019-04-03 05:30:19 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments
0

If even dumpcap or tcpdump can't keep up with the packet rate more dedicated line-rate capture options come into view, i.e. ProfiShark or n2disk.

Jaap's avatar
13.7k
Jaap
answered 2019-04-03 06:18:12 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer