Hi! I have runned Wireshark on our AD server as a background porcess in the last couple weeks with writing logs to files. A external IT manager warned me about this and said it's danguraus because it can currupt our AD database or something like that. asked 22 Mar '16, 06:48 Jovial edited 22 Mar '16, 07:15 grahamb ♦ |
One Answer:
Wireshark itself is unlikely (impossible really) to corrupt the AD database, however it would be possible for Wireshark to fill a disk with capture files, leading other software to misbehave. Apart from that Wireshark should not be used for long term captures, it will run out of memory, which may also cause other software to misbehave. See the Wiki page on Out Of Memory and numerous questions about it on this Q&A site. For long term captures use dumpcap and ring buffers. answered 22 Mar '16, 06:58 grahamb ♦ |
Thank you for clearing it up for me! Wireshark normally use around 300mb ram because of the GUI of wireshark logs have been disabled. And HDD is set to overwrite old files with saving last 30GB of logs. Gues i'm in the clear to continue to run Wireshark than! :)
The reason why I run wireshark over a long period like this is because I use it to troubleshot virus activities in our network. (Get alerts from firewall with no information to find the source) Please let me know if you have other suggestion on software that might be more suited for this kind of operations :) Thanks!
I'm not sure what you mean here. If running the wireshark executable, the issue isn't the GUI, it's the retained state of requests and responses. tshark retains much the same sate (as it uses the same dissection engine) so isn't the answer either for long duration running.
There is no definitive answer either on how much traffic consumes how much memory, as it depends on the traffic capture itself.