This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

What options do I use to never lose data?

0

What options do I use to never lose data?

I do not want capture files to ever be overwritten or discarded.

I do not want capturing to ever stop.

asked 03 Jul '12, 09:02

tompdiaz's gravatar image

tompdiaz
1111
accept rate: 0%

One Answer:

0

You can use dumpcap with a very large number of ring buffer files.

Windows:

dumpcap.exe -i 1 -b filesize:100000 files:100000 -w output.cap

Linux:

dumpcap -i eth0 -b filesize:100000 files:100000 -w output.cap

This will capture 100.000 files with 100 MByte each and thus it will virtually run "forever", or until your disk is full, whatever happens first. If that is not sufficient, just raise the values.

Regards
Kurt

answered 03 Jul '12, 09:42

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 04 Jul '12, 01:20

Jaap's gravatar image

Jaap ♦
11.7k16101

1

Kurt, you can omit the "-b files:100000" option to make dumpcap not overwrite old files.

(Which will make the capture run "forever" if you bought the new "infinite" drive from www.nowthatswhaticallabigharddisk.com)

(03 Jul '12, 09:51) SYN-bit ♦♦

Thanks. I never tried that!

BTW: Should that link actually work?

(03 Jul '12, 09:57) Kurt Knochner ♦

Oops... I forgot to add the ";-)"

(03 Jul '12, 10:43) SYN-bit ♦♦

damn, and I was already about to lauch amazon.com ..... ;-)

(03 Jul '12, 11:00) Kurt Knochner ♦

Also the 100MB might be a bit large for Wireshark to grok when you want to look into them.

(04 Jul '12, 01:20) Jaap ♦

really? Usually I split them in chunks of 250-400 MB with no (technical) problem at all. It's for sure a challenge to find THAT one packet, but that's a layer 8 problem.

(04 Jul '12, 01:48) Kurt Knochner ♦
showing 5 of 6 show 1 more comments