Wireshark-users: Re: [Wireshark-users] Capture packets from different NIC simultaneously

From: Chris Maynard <Chris.Maynard@xxxxxxxxx>
Date: Thu, 3 Nov 2011 14:29:53 +0000 (UTC)
Boaz Galil <boaz20@...> writes:

> Should I run it from command line using Tshark or can I do it over GUI
(basically I am asking if there are known issues with running several instances
of wireshark GUI)?

The biggest potential problem I can think of is with memory usage if you're
capturing lots of packets for long periods of time.  My recommendation would be
to use dumpcap instead of Wireshark or tshark (See
http://wiki.wireshark.org/KnownBugs/OutOfMemory for more information about this
topic).

If you don't intend to capture for a long time or if you're confident that
you're not going to run into memory problems, then you can use whichever one you
prefer.  If you want to keep the 5 capture sessions separate, you can start 5
separate instances of [wire|t]shark, or alternatively if you want a combined
capture of all traffic on all interfaces, you can accomplish this using the
latest development version which is capable of capturing on multiple interfaces
running only a single instance of [wire|t]shark.  You can get the latest
automated development version from http://www.wireshark.org/download/automated/,
or you can download the 1.7.0 release on or after November 8, which is when it
is currently scheduled to be released  (see
http://wiki.wireshark.org/Development/Roadmap).