Hi,
On Fri, Apr 30, 2010 at 12:17:00PM +0800, Darren Tay wrote:
> Specifically, I am giving:
> tshark port 25 -w capfile.cap
>
> The documentation isn't very clear about compressed-mode capturing.
> I am concerned because I need to capture quite a large volume of traffic in
> order to track down the problem I am looking for.
> I am guessing anywhere in the region of about 500 Mbyte to 2 Gbyte, within 5
> hours.
>
> Will tshark work OK like this?
> Do I need to explicitly tell it to write in compressed mode?
tshark can't compress trafic (it can only compress already existsing capture files),
I think you need:
# dumpcap -f 'port 25' -w - | gzip - -f > capfile.pcap.gz
or (better comppression but wireshark don't have support for lzma)
# dumpcap -f 'port 25' -w - | xz - -f > capfile.pcap.xz
hth.