[Winpcap-users] Run etheral from command lines
guy at alum.mit.edu
Tue Aug 9 17:38:08 GMT 2005
Gianluca Varenni wrote:
> In case you only need to capture packets and dump them to file (for
> later decoding with ethereal or any other tool), a good idea would be to
> use windump ("windump -w filename"), I think it's probably more
> lightweight than ethereal/tethereal.
More lightweight, but
tethereal -w filename
shouldn't be *too* much heavier weight, in terms of capture code path, than
windump -w filename
but it'll be heavier weight in terms of total code size.
Note also that Tethereal defaults to a large "snapshot length", so that
it'll capture the entire contents of packets (unless you specify a
shorter snapshot length with "-s"), but WinDump (like tcpdump) defaults
to something in the range of 68-96 bytes as the snapshot length, so, if
you want the entire packet to be dumped to the file, you'll need to do
windump -s 0 -w filename
(*REALLY* old versions of WinDump might required "-s 65535", but if you
have a version that old, you should get a newer version).
More information about the Winpcap-users