[Winpcap-users] Run etheral from command lines

Guy Harris guy at alum.mit.edu
Tue Aug 9 17:38:08 GMT 2005

Gianluca Varenni wrote:

> In case you only need to capture packets and dump them to file (for 
> later decoding with ethereal or any other tool), a good idea would be to 
> use windump ("windump -w filename"), I think it's probably more 
> lightweight than ethereal/tethereal.

More lightweight, but

	tethereal -w filename

shouldn't be *too* much heavier weight, in terms of capture code path, than

	windump -w filename

but it'll be heavier weight in terms of total code size.

Note also that Tethereal defaults to a large "snapshot length", so that 
it'll capture the entire contents of packets (unless you specify a 
shorter snapshot length with "-s"), but WinDump (like tcpdump) defaults 
to something in the range of 68-96 bytes as the snapshot length, so, if 
you want the entire packet to be dumped to the file, you'll need to do

	windump -s 0 -w filename

(*REALLY* old versions of WinDump might required "-s 65535", but if you 
have a version that old, you should get a newer version).

More information about the Winpcap-users mailing list