This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark ring buffer option: milliseconds

0

Hi,

i need to know how can i use ring buffer option with a duration in milliseconds in the help menu there is only the possibility to listen for seconds if it is not possible to do it in this version can you do it for me or at least give an hence how to do it and i will try to change it on the code.

asked 01 Dec '10, 05:33

yassine's gravatar image

yassine
1111
accept rate: 0%

Why would you want to capture only for milliseconds? Do you have a capture scenario where a second long ring buffer is too large? I never heard of that :-)

Or are you talking about the desired time resolution of the frame timestamps?

(01 Dec '10, 09:40) Jasper ♦♦

it's not the problem of how long a ring buffer is during 1 second or more but i just need a scope of the network traffic of some milliseconds (300 or 500mseconds) to get an instantaneous overview of throughput to get some decisions afterwards.

(03 Dec '10, 02:27) yassine

One Answer:

1

It is not possible to select subsecond rotate intervals. It would be possible to add this to the source, but it needs to be done in several places. At least in the following locations:

$ srcfgrep has_file_duration *
capture_opts.c
capture_opts.h
capture_sync.c
dumpcap.c
gtk/capture_dlg.c
gtk/main.c
tshark.c
$

For the moment, you might want to use dumpcap to make capture slices of 1 second and use "editcap -c" to split into files with a certain amount of packets (editcap -i also uses whole seconds unfortunately).

answered 01 Dec '10, 11:09

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%