On Mon, Dec 31, 2018 at 5:09 PM Guy Harris <guy@xxxxxxxxxxxx> wrote:
>
> On Dec 31, 2018, at 5:05 PM, Richard Sharpe <realrichardsharpe@xxxxxxxxx> wrote:
>
> > However, I think maybe I have discovered how to prevent that. Increase
> > the buffer size given to dumpcap (2GB or more.)
>
> What happens if you use tcpdump rather than dumpcap? At least at one point (I think when the changes to libpcap to support memory-mapped packet capture on Linux were being done, the person who made them did some tests with and without memory-mapped capture with both tcpdump and dumpcap) tcpdump lost significantly fewer packets than dumpcap (probably due to the simpler capture code path).
I was capturing on Windows so, AFAIAA, tcpdump was not an option.
--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)(传说杜康是酒的发明者)
