Wireshark 长时间抓包~~很长很长,肿么办

Wireshark 长时间抓包~~很长很长,肿么办

From: http://blog.csdn.net/tryscan/article/details/8209234

最近遇到比较麻烦的事情,需要整个晚上甚至更长时间启用Wireshark抓包,分析网络是否有异常,甚至在抓包的同时要开启迅雷等下载软件,或者进行VOIP通话等,鬼知道一晚上抓的包有多大。不管三七二十一,启动wireshark,只管Run(想当然以为,只要硬盘空间够,抓包没问题),试了几回,早上来都崩溃了,以为是wireshark版本问题,可是即使用最新的版本(考虑兼容性问题,放弃windows7,用XP),崩溃依旧~~肿么办????原来在Linux下tcpdump没这么脆弱啊。

找到windows下安装wireshark 的目录,那不是有个 dumpcap.exe 的东东么,靠!应该是命令抓包了,果断的 dumpcap.exe -h ,果然:

D:\Program Files\Wireshark>dumpcap.exe -h
Dumpcap 1.8.0 (SVN Rev 43431 from /trunk-1.8)
Capture network packets and dump them into a pcapng file.
See http://www.wireshark.org for more information.

Usage: dumpcap [options] …

Capture interface:
  -i <interface>           name or idx of interface (def: firs
  -f <capture filter>      packet filter in libpcap filter syn
  -s <snaplen>             packet snapshot length (def: 65535)
  -p                       don’t capture in promiscuous mode
  -B <buffer size>         size of kernel buffer (def: 1MB)
  -y <link type>           link layer type (def: first appropr
  -D                       print list of interfaces and exit
  -L                       print list of link-layer types of i
  -d                       print generated BPF code for captur
  -S                       print statistics for each interface
  -M                       for -D, -L, and -S, produce machine

RPCAP options:
  -r                       don’t ignore own RPCAP traffic in c
  -u                       use UDP for RPCAP data transfer
  -A <user>:<password>     use RPCAP password authentication
  -m <sampling type>       use packet sampling
                           count:NUM – capture one packet of e
                           timer:NUM – capture no more than 1
Stop conditions:
  -c <packet count>        stop after n packets (def: infinite
  -a <autostop cond.> …  duration:NUM – stop after NUM secon
                           filesize:NUM – stop this file after
                              files:NUM – stop after NUM files
Output (files):
  -w <filename>            name of file to save (def: tempfile
  -g                       enable group read access on the out
  -b <ringbuffer opt.> … duration:NUM – switch to next file
                           filesize:NUM – switch to next file
                              files:NUM – ringbuffer: replace
  -n                       use pcapng format instead of pcap (
  -P                       use libpcap format instead of pcapn

Miscellaneous:
  -t                       use a separate thread per interface
  -q                       don’t report packet capture counts
  -v                       print version information and exit
  -h                       display this help and exit

看来就它了,试了一下  dumpcap.exe 报错,OMG,我是上网卡不知道抓哪个,看说明-D后就能识别哪个网卡了,然后……(此处省略500字,废话,谁要看你折腾的过程,赶紧说咋用就行)

结论: dumpcap.exe -i 2 -b filesize:100000 -w d:\test.pcap

至于为什么-i 后是2不是1,正常人都能想到是编号为2 的网卡接口,你咋知道,MG,-D 就是为了了解是哪个interface,剩下的参数,不懂的学英语去。我这会抓包,忙着呢!

    原文作者:Hansel
    原文地址: https://blog.csdn.net/hansel/article/details/8651316
    本文转自网络文章,转载此文章仅为分享知识,如有侵权,请联系博主进行删除。
点赞