Hi all, getting straight to the question...
I am relatively new, and am using tshark over SSH (on an outsourced datacenter box, CentOS/RH), and then transferring the .cap file over to a local box for review using the GUI.
Specifically, I am giving:
tshark port 25 -w capfile.cap
The documentation isn't very clear about compressed-mode capturing.
I am concerned because I need to capture quite a large volume of traffic in order to track down the problem I am looking for.
I am guessing anywhere in the region of about 500 Mbyte to 2 Gbyte, within 5 hours.
Will tshark work OK like this?
Do I need to explicitly tell it to write in compressed mode?
When capturing in compressed mode, is the compression done in a streaming fashion or is it applied just once when capturing has ended?
Thanks!