I am using:
/usr/sbin/dumpcap -f 'port 25' -w - | gzip - -f > p25-03.cap.gz
Seems to be OK, except the .cap.gz file is opened in WireShark GUI, I get a warning:
"The capture file appears to have been cut short in the middle of a packet."
I had terminated it the job using CTRL-C.
Is there some other way to stop the capture and gzip cleanly?
Otherwise, I don't think it's a big deal to me, if it only affects the last packet in the file.
On 30 April 2010 19:32, Darren Tay
<gluino@xxxxxxxxx> wrote:
On 30 April 2010 17:38, Jakub Zawadzki
<darkjames@xxxxxxxxxxxxxxxx> wrote:
tshark can't compress trafic (it can only compress already existsing capture files),
I think you need:
# dumpcap -f 'port 25' -w - | gzip - -f > capfile.pcap.gz
or (better comppression but wireshark don't have support for lzma)
# dumpcap -f 'port 25' -w - | xz - -f > capfile.pcap.xz
Thanks, I'm using the gzip one, since I need Wireshark to read it.
Since I don't have a good way to load test it, except with production traffic later next week, I have another question:
During heavy port 25 traffic, bulk (legit) email newsletter, is doing the gzip arrangement above likely to help minimize dropped packets? or is the plain tshark / tcpdump expected to cope better with heavy traffic?
Also could you explain (or point me to an explanation of) the syntax you've given, mainly the lone minus-signs, before the pipe and after the "gzip".
