Wireshark-users: Re: [Wireshark-users] Display dumpcap in real time

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 1 Nov 2011 14:07:54 -0700
On Nov 1, 2011, at 1:51 PM, Chip wrote:

> Okay great Guy, that's perfectly clear now.  I think I will go with tcpdump -S as really I am only caring about the connection information and not raw packet information.
> 
> Do you think tcpdump can hold up to running for hours capturing connection information without crashing a system because of memory usage?

(If your *system* crashes because of memory usage, you should complain to your operating system vendor. :-))

If you run with the "-n" flag, it will not map link-layer addresses, or network-layer addresses such as IP addresses, to host names; that will reduce the likelihood of tcpdump stalling temporarily while trying to resolve an address (thus reducing the likelihood that it'll drop packets), and will also mean it won't allocate memory to store those address/name pairs, reducing the amount of memory it consumes as it runs.

If you run with both -S and -n, it shouldn't consume memory as it runs.

> In tcpdump can one a ring buffer feature like in dumpcap?

At least in newer versions of tcpdump:

	if you use the -C flag, you can specify a file size in megabytes (1,000,000 bytes, not 1,048,576 bytes), and tcpdump will switch files once they've gotten bigger than the specified size;

	if you use the -G flag, you can specify a time in seconds, and tcpdump will either discard the previous capture file after that number of seconds and start a new capture or switch to a new file after that number of seconds.