Hello All Sorry this question has probably already been asked loads of times before! what is the best way to setup wire shark on a server that records all data all the time for problem analysis at a later date? is this actually possible? I would also like to only store a couple weeks worth of traffic! currently when a issue is reported we start a capture and try to get the user to reproduce the issue. Thanks for any help in advanced. James asked 21 Mar '11, 14:36 jam3s |
4 Answers:
The command line tool "dumpcap" can help especially if you set a ring buffer that will prevent your disk from running out of space by overwriting older trace files. You'll still need terabytes of disk space I guess if you want to go on for a week or more with full packets captured (otherwise use frame slicing and capture only the first 64-256 bytes depending on what protocol you're looking at). If I were you I'd do a capture that is ring buffering for about a day or two and make it clear to the users to report issues rapidly including exact date and time as well as their IP address (if they know how to determine it). That way you can work with smaller disks as long as you get notified quickly enough to stop the capture from overwriting the relevant details. answered 21 Mar '11, 16:08 Jasper ♦♦ |
As others have already mentioned, use dumpcap for long-term capturing. When using dumpcap, you will probably want to make use of the ring buffer so you limit both the maximum capture file size and the maximum number of files that are part of the ring buffer. That will ensure you have somewhat manageable capture files as well as ensure that you don't completely consume all of your disk space. Keep in mind that using dumpcap doesn't guarantee that you won't drop packets, particularly on very busy links, so here are a few performance related tips to consider. answered 21 Mar '11, 19:06 cmaynard ♦♦ |
Search for dumpcap. answered 21 Mar '11, 15:03 Jaap ♦ |
dumpcap will work for you, but you'd better have TONS of local disk. If you're going to grab "everything", you'll probably need terabytes of disk space. If you can narrow your capture down at all (to a particular protocl or particular set of hosts), it will help greatly... answered 21 Mar '11, 15:24 wesmorgan1 |