Hi, I was recently introduced to wireshark to help me troubleshoot a problomatic network where the switches kept repeatidly crashing. To get me started I picked up a book called Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems by Chris Sanders which has been of great help. I am currently leaving my laptop onsite at the customers house colelcting data over 3/4 day periods and I am finding that when I return to collect the laptop Wireshark has recently crashed. I have set my Capture options to use multiple files and start a new file every 2 hours. this was to try and keep memory usage down and in event of a crash leave me with at least some data. After looking at event viewer in Windows Vista I can see this error: Faulting application wireshark.exe, version 1.6.0.37592, time stamp 0x4dee5505, faulting module libgdk-win32-2.0-0.dll, version 2.22.1.0, time stamp 0x4d1898fe, exception code 0xc0000005, fault offset 0x00007475, process id 0xd4c, application start time 0x01cc42ff531e6942. Not sure if this helps? I have noticed both times that Apple Software Updater is running and is awating instruction. to note. The network has not crashed while I have been monitoring. asked 18 Jul '11, 00:39 timelapse |
One Answer:
The best way to do long-term captures is to use dumpcap instead of Wireshark. Dumpcap is used by Wireshark under the hood. It just collects network packets and writes them to disc. Wireshark also does some analysis and can have an increasing memory footprint resulting in a crash. Also it's better to use capture size as a means of switching to the next file, that way you can set up a ringbuffer that will never grow beyond a certain size, so it won't fill up the discs. I have used dumpcap in that way to capture for months at a time. You can use dumpcap like this:
Meaning, create a ring buffer of 100 files of 100MB each (when the 101st file is created, the 1st one is automatically deleted). Disk usage will therefor never grow beyond 10GB. answered 18 Jul '11, 00:57 SYN-bit ♦♦ |
Hi, thanks for the quick reply. Taken onboard the comments re capture size and ring buffer. Thanks!Will give that a shot.
Where do i enter dumpcap command?
You can enter the command in a CMD window. You might want to add the path to wireshark in your path environment variable (richtclick on computer->properties->advanced system settings->environment_variables, then search for "Path" and add the path to your Wireshark directory), so you can start dumpcap from any folder.
:) much appreciated.