For long-running captures I'd suggest using cppcap:
sk141412: Running tcpdump causes high CPU usage - Introducing cppcap
Use of fw monitor for long-running captures is potentially more likely to impact firewall performance since it is essentially "in line" with the chain module sequences (fw ctl chain), and also if someone reinstalls policy to the gateway while an fw monitor is running, the capture will be automatically terminated due to the chain sequences being rebuilt as part of the installation process.
Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com