Wireshark-dev: Re: [Wireshark-dev] Something that would be useful in Wireshark when dealing wit
From: Guy Harris <[email protected]>
Date: Mon, 31 Dec 2018 17:09:00 -0800
On Dec 31, 2018, at 5:05 PM, Richard Sharpe <[email protected]> wrote:

> However, I think maybe I have discovered how to prevent that. Increase
> the buffer size given to dumpcap (2GB or more.)

What happens if you use tcpdump rather than dumpcap?  At least at one point (I think when the changes to libpcap to support memory-mapped packet capture on Linux were being done, the person who made them did some tests with and without memory-mapped capture with both tcpdump and dumpcap) tcpdump lost significantly fewer packets than dumpcap (probably due to the simpler capture code path).