Wireshark-users: Re: [Wireshark-users] tshark or dumpcap ring buffer limitations
Doug, I was thinking of going that route, but I really
only need the current days worth of traffic. I changed the ring buffer limit
and re-complied Wireshark. I now have the capture running and it got past the
10000 limitation and currently is moving towards the 20000 mark now. For
someone like me that had no idea on how to compile code the change was very
easy and didn’t require me to re-invent the back-end processes that we use to
find sequence number of the market data that we are capturing. I built a whole
web console on a linux machine that searches multiple sniffer machines and uses
tshark to read the capture files and parse out the sequence number that we are
looking for. The last piece of this puzzle was get the data captured for the
whole entire day, instead of 4 hours at a time. The next thing I’m looking to
figure out is a dissector for the market data that we capture, ie: NASDAQ,
NYSE, ARCA, CME, etc… Thanks Joe From:
wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Douglas Ross Joseph, Have
you considered compressing the capture files? If
two of your concerns are the huge amount of disk space and consequent
network traffic you need to manage this data? I'm
very new to Wireshark, but have used Ethereal in the past,
and periodically compressed capture files and deleted the originals. (eg.
WinRar achieves a compression ratio of about 10/1) Anyway,
I made a script to automatically compress daily files into two archives per
month. This not only reduced disk usage, but also dramatically reduced the
number of files/folders. If
1000 ring files is the hard coded limit, then auto compress and delete after
every 500 or 800. If
"0" ring files implies no limit, then auto compress after
whatever number is most convenient. I
used the capture file dts (date.time stamp) to determine which half-month
archive it should be put in. eg: ...20100501...
to ...20100515... I'd put in archive ...201051 ...20100516...
to ...20100531... I'd put in archive ...201052 (undoubtedly
you'd make a finer split, perhaps into one or two archives per day ..) (capture
file name includes start of capture dts; system dts is at
close of file (= start of next)) Hopefully,
that will help solve the problems of volume of files, and waste of disk space
and network capacity. Similarly,
I used scripts to help decompress whichever file I needed, based on dts. Hope
this helps for a relatively quick fix, at least to give you some ideas. Good
luck Regards Doug PS.
while you're scripting this (if you go down that route) you could consider
doing first pass analysis, and filter out the stuff you're not interested
in, and/or split the capture into known good and useful stuff; definite
rubbish(discard); and possible trouble...
From: Jeff Morriss
<jeff.morriss.ws@xxxxxxxxx>
|
- References:
- [Wireshark-users] tshark or dumpcap ring buffer limitations
- From: Joseph Laibach
- Re: [Wireshark-users] tshark or dumpcap ring buffer limitations
- From: Jeff Morriss
- Re: [Wireshark-users] tshark or dumpcap ring buffer limitations
- From: Douglas Ross
- [Wireshark-users] tshark or dumpcap ring buffer limitations
- Prev by Date: Re: [Wireshark-users] Monitoring
- Next by Date: Re: [Wireshark-users] How do I get both gateway and proxy IP address using Wireshark?
- Previous by thread: Re: [Wireshark-users] tshark or dumpcap ring buffer limitations
- Next by thread: [Wireshark-users] DSL issue
- Index(es):