On Fri, Dec 21, 2007 at 10:10:45PM -0700, Stephen Fisher wrote:
> On Fri, Dec 21, 2007 at 10:00:54PM -0500, Jay Levitt wrote:
>
> > As far as I can tell from searching the forum, there's no good way to
> > keep Wireshark up and running and capturing to an in-memory circular
> > buffer,
>
> Correct.
But... Wireshark comes with a utility called 'dumpcap'. Although
this utility does write to disk instead of memory, it does not
keep session-information. This means that it doesn't hog your
memory while capturing for long periods of time. I have a system
running with dumpcap for a few weeks now, it has captured almost
2 billion packets by now in a ring buffer of 1024 files of 16MB.
(and the laptop on which it is running is still happy :-) ).
The syntax I used is:
dumpcap -i <interface> -s 1518 -w <file.cap> -b filesize:16384 -b files:1024
How's that for catching an intermittent problem :-)
Of course having the option of just using a memory ring buffer
until a problem occurs for which you can manually press "stop"
would also be nice, could you file this as an enhancement bug
as Steve already suggested?
Cheers,
Sake