Wireshark capture buffer not big enough

[Spin]

Gurus,

When you use Wireshark to capture packets to and from your machine to others
on the network I heard that it can dump packets because it's buffer may not
be big enough to hold all the information. Is this true?

--
Spin

[Jim Logajan]

Wireshark/ethereal packet capture can fall behind and then miss packets
when the monitored interface sees prolonged periods of saturated wire
traffic. There are settings you can adjust that may reduce or possibly
eliminate the frequency of these drops. A fast machine also helps.

[News Reader]

You are generally better off using a sniffer on a system that is not one
of the connection endpoints.

To improve performance, you might consider the following:

The Capture Options permit you to limit the capture depth of each
packet. Reducing the capture depth should improve performance. In many
cases a capture depth of 100 bytes is adequate (depending on what you
are analyzing).

Automatic scrolling in live capture, and some of the higher-level Name
Resolution options also introduce a performance penalty.

Best Regards,
News Reader

[Jorgen Grahn]

Yes, although I'm not sure if it uses a buffer or writes directly to
disk (and lets the OS do the buffering).

I always use tcpdump for collecting the data to file. Tcpdump is
simpler, and may or may not be faster than Wireshark, and may or may
not have a bigger chance of dropping packets. I have certainly seen it
miss packets when I tell it to write to a file on a slow file system.

/Jorgen

--
// Jorgen Grahn <grahn@ Ph'nglui mglw'nafh Cthulhu
\X/ snipabacken.se> R'lyeh wgah'nagl fhtagn!