Hi , i am using dumpcap to caputre but the way i have setup my script a new file should be made everytime it reaches maximum filesize and its not doing it . can you please help i am using the following command ... /usr/bin/dumpcap -i eth0 -g -s 65536 -w /data/int0/int0 -b files:10000 -b filesize:24000 -b duration:600 -q & capture ring buffer option not working asked 22 Aug '12, 11:13  helloworld0722 edited 24 Aug '12, 19:37  Guy Harris ♦♦ |
One Answer:
For limiting your capture to 2.4 GB the number of KB= 2516582.4, But dumpcap takes only decimal. Below is the command "dumpcap -i eth0 -a filesize:2516582 -w output.pcap" For example if i want to capture 10 KB from eth0 interface i will give it as "dumpcap -i eth0 -a filesize:10 -w test.cap" If i check the size of the size its has 77 bytes more. [[email protected] harsha]# ll total 12 -rw-------. 1 root root 10317 Aug 24 17:14 test.cap So same will be the case with your 2.4 GB file, ie.. the bytes will be rounded off by the packet length (packet will not be chopped). answered 24 Aug '12, 05:00  Harsha edited 24 Aug '12, 05:03 the above is answer is for (link:http://ask.wireshark.org/questions/13850/how-to-capture-using-dumpcap) (24 Aug '12, 05:04) Harsha It would be more helpful to provide an answer for this question, not another very similar one. This just confuses other users. The command line provided in this question clearly has What they haven't told us is what does happen, "not working" isn't really sufficient to help much. Using the trunk dumpcap (r44426) and a similar command line the ring buffers work for me. (24 Aug '12, 05:28) grahamb ♦ |
what is your wireshark version?