Hi, I have latest version 2.2.4) installed on 2 Windows servers 2008 R2 Enterprice SP1 64bit OS with 48GB RAM 2 CPUs @ 2.8GHz; and encounter following issue: when I capture traffic and send the output to multiple files, WS crashes after the first file, sometimes the 2nd file contains some data, but usually it is empty. conditions were: - capturing on 2 interfaces - with any capture filter on both i/f - output to files of 300MB, no ring buffer - Auto-Stop capture after a couple of files - no update list of packets in real-time I have encountered this issue for many versions unfortunately, but this version is really doing very bad on this :-( Is there something that I need to take into consideration, e.g. limiting the size of the files (but tried with 100MB files gives same issue), ... ? Pls advise. Thx. asked 28 Feb '17, 08:27  profke |
One Answer:
I would try dumpcap first, as that application performs capture using only BPF capture filters. Wireshark (and tshark) both dissect the traffic as well as capture it which puts the system under extra load at high traffic rates. The man page for dumpcap is here. It's a command line program so has to be run from a shell, e.g. cmd.exe or PowerShell and you'll need to provide the full path to the application, e.g. The Using Google found this guide on dumpcap. answered 01 Mar '17, 07:58  grahamb ♦ I haven't tried with dumpcap yet, but meanwhile I discovered that when capturing to files and leaving the "Update list of packets in real time" checked, WS doesn't crash until it comes to the saving of the last file. So this is workable for me as I have long-term capturing with all files stored. Will try with dumpcap later on. Thanks. (03 Mar '17, 05:48) profke |
What rate of traffic are you attempting to capture on the 2 interfaces?
Are you using the 64 bit version of Wireshark?
Have you tried using tshark, or if there are no capture filters, dumpcap to perform the captures?
The rate of traffic measured on the SPAN port of the switch is about 325Mb/s for the first link to the sniffer,↔︎the other one only carries about 73kb/s. In WS in the capture file stats I see the rate averages around 900 kb/s (so with a capture filter applied)
Yes, I'm using the 64bit version of WS
No, haven't tried with tshark, as I have not the habit nor knowledge to do so.
WS also crashed when I hit the stop button while a capture to a file is ongoing; fortunately the file contains data.
thx for any advise. BR.