Wireshark · Ethereal-users: Re: [Ethereal-users] Using Ethereal for long tests

[Guy Harris <guy@xxxxxxxxxx>]

> 1) What are the recommended settings if I want to use Ethereal for a day
> long test.
>    It seems to work ok for some time and then stops Sniffing. I guess this
> has something
>    to do with configuration or filters. I can see a large number of packets
> sniffed before
>    it stops sniffing.

It could have something to do with a lot of different things.  It could
be a problem with, say, the networking code in your OS (including, if
it's Windows, the WinPcap code; what version of what OS are you using,
and what version of libpcap/WinPcap are you using?), or with Ethereal,
or....

> 2) How can I specify the max. size of files and max. no. of files so that my
> machine doesn't run out of disk space.

You can't.  Ethereal currently doesn't support that.

> 3) I am trying to capture a corrupted message. Can I write some kind of
> filter which will *only*
>    capture the error messages or corrupted message ??

That would depend on the form of the error message or corrupted message.
The syntax of capture filters is documented in the libpcap/WinPcap man
page; see whether it's sufficiently powerful to allow you to construct
an expression that matches only the message in question (which it may
well not be - for example, it's incapable of doing any processing that
involves a loop).