0

Would this cause an issue eventually or is always ok to leave running. SHould it's logs be saved every no and again and if so when?

Axle
  • 33
  • 1
  • 6

6 Answers6

4

The real question is: what is the purpose of this ?

If you want something that can continuously log and monitor network traffic, and attach to a trace whenever you need to, consider a solution that doesn't have such massive overhead, such as dumpcap (included in the wireshark distribution.)

Personally, I use Network Security Toolkit (NST), which is a specialzied distribution that contains tons of analysis and measurement software in one easy-to-deploy DVD or VMware image, and supports fully transparent SPAN capturing of all traffic.

adaptr
  • 16,576
  • 23
  • 34
3

Generally it's ok, especially if you have it running on a mirrored/spanned port - it's really only a load/disk-space issue.

As to when they should be saved, that'd down to your own use case to be honest - not sure anyone can answer that for you.

btw - Gerald Combs who wrote WireShark is a user here and often pops up when questions like this occur - quite the privilege eh!

Chopper3
  • 101,299
  • 9
  • 108
  • 239
  • ...Only a load/disk space issue ? seriously ? have you ever tried to open a 1GB pcap file with wireshark ? – adaptr Jul 12 '12 at 11:47
  • @adaptr Well, isn't that load? :) – Jeff Ferland Jul 12 '12 at 12:40
  • ...no, that would be the fact that wireshark loads pcaps in memory, and loading more than your system can accomodate is a hard failure. "Live" wireshark is not intended to continuously receive traffic; you have the overhead of a GUI app and the (possibly) filtered display to contend with as well. – adaptr Jul 12 '12 at 15:12
  • Afaik, you literally cannot open a pcap < 2GB with wireshark. This edge case may have changed since I last tried but it's worth looking in to. – MDMarra Jul 12 '12 at 21:08
3

wireshark uses dumpcap under the covers. So with that been said you can use dumpcap at the windows commandline to collect your traffic. You can do something like this:

"c:\Program Files\Wireshark\dumpcap" -i 2 -w \temp\output.pcap -b filesize:102400 -b files:5 -f "host 1.1.1.1"
  • -i 2 -- is the eth id (you can find out what your number is with dumpcap -D)
  • -w \temp\output.pcap is the output file (make sure that c:\temp\ folder is there or it will error out)
  • -b filesize:102400 -- is for how big you want your filesize to be)
  • -b files:5 -- is the number of files to keep and will keep up to a max of 5 files
  • -f "host 1.1.1.1" -- wireshark filters can be put there

other flags can be found here http://www.wireshark.org/docs/wsug_html_chunked/AppToolsdumpcap.html

onzyone
  • 31
  • 1
1

Assuming you're on windows...

If you're just trying to capture for later analysis, look at using windump (distributed with winpcap) with the -C file_size option. This will cause it to close the current output file and open a new one when the file_size parameter is reached. You can also provide options for the file names as they are rotated.

On Linux, you can use the same option with tcpdump.

You can then load a, say 100MB, file in Wireshark rather than the entire capture.

Justin Kinney
  • 11
  • 2
0

Instead of Wireshark, consider using n2disk, from the people who wrote the excellent ntop.

Quoting their page:

With n2disk you can capture full-sized network packets at multi-Gigabit rate (above 10 Gigabit/s on adequate hardware) from a live network interface, and write them into files without any packet loss. n2disk has been designed to write files into disks for very long periods.

Using DNA (Direct Nic Access), you are able to capture line-rate 10Gb/s to disk (given the proper hardware).

petrus
  • 5,297
  • 26
  • 42
-2

If it doesn't discard old entries, it may cause other software to run out of memory.

Cees Timmerman
  • 222
  • 3
  • 8