Is there a maximum size of the capture log (PCAP)? If a 30 minute capture filter = 500meg, how long before the capture stops working? Thanks asked 10 Feb '15, 14:22  w_1qaz |
One Answer:
Simple: if you use dumpcap instead of Wireshark/tshark it will capture until your disk is full (otherwise Wireshark/tshark will probably crash at some point). If you tell dumpcap to write a ring buffer (-b files and -b filesize parameters) it will run forever. See https://blog.packet-foo.com/2013/05/the-notorious-wireshark-out-of-memory-problem/ and answered 10 Feb '15, 15:27  Jasper ♦♦ edited 10 Feb '15, 15:28 |
