0

I'm trying to capture packets to diagnose a network application. There are a small number of packets that I want to capture the entire contents for application level protocol analysis, but a large volume of packets that I only need to capture the headers and a few bytes of the payload. This is on a 10 gigabit (and I would like to do 25 gigabit in the future) link and I have had trouble with maintaining capture throughput when I capture everything.

I have looked at tcpdump, dumpcap, and tshark, and none of them seem to have an option to specify a variable snaplen field. Is there a capture tool that can do this? From looking at the output of dumpcap -d I can see that the return value of the filter is the desired snaplen, or 0 to not capture. But none of these programs seem to take a compiled bfp as input.

Improve this question

1 Answer 1

Reset to default
2

Run two simultaneous captures, each with the appropriate filter and snaplen, then merge them using the mergecap tool that comes with Wireshark.

Improve this answer
1
  • Thanks, this worked! It's important to make sure that the filters for the two invocations are actually mutually exclusive.
    – Evan
    Commented Apr 1 at 23:31

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .