I'm using Wireshark to try and capture some very rare events that occur very infrequently (months between) but Wireshakr shutsdown after a couple of days. It's configured to use ring buffered, multiple trace files, but when I return to the machine after more than 2/3 days Wireshark is not running. There is plenty of RAM and disc space. I've asked other people and get the answer"It just does that" which is not a lot of use to me. Any help would be greatly appeciated. Thanks. asked 16 Sep '10, 09:14  dorsetsteve |
One Answer:
Wireshark keeps state-information and reassembled data in memory. This means that even if you write to several files to disk, the memory use does increase over time. See: http://wiki.wireshark.org/KnownBugs/OutOfMemory You can use 'dumpcap' to do the capturing instead, I have used dumpcap to capture a rare problem too and it has been running for months. The syntax you could use is: dumpcap -i interface -w file -b filesize:16384 -b files:1024 which will create 1024 files of 16MB, giving you a 16GB ringbuffer. When the problem occurs, just stop dumpcap and use wireshark (or tshark) to analyse the files. answered 16 Sep '10, 09:48  SYN-bit ♦♦ |
