I've been having reliability issues with multiple Wireshark versions on 2008 server. Initially the GUI would crash mid-capture. So I then started to use tshark, but this suffered the following issue: When capturing to file the packet counter displayed within cmd prompt would freeze. Pressing any key on the keyboard (i.e. STDIN) would get the counter incrementing again. I assumed it was just the counter freezing, however looking at the capture file there's a complete gap in capture whilst the screen is frozen. Note: The same issue occurs with dumpcap. Any help massively appreciated asked 04 Sep '13, 01:10  Timchampion |
One Answer:
Wireshark and tshark crashes are inevitable when doing captures that run for a long time or just capture a lot of packets. Both keep information about TCP connections in memory (mostly for reassembly), which will lead to a crash sooner or later, even when storing packets into multiple files. Dumpcap should work, because it just writes packets to disk, without any overhead. Are you sure that dumpcap has the exact same issue as tshark? answered 04 Sep '13, 01:40  Jasper ♦♦ |
