This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

capture ring buffer problem

0

Hi , i am using dumpcap to caputre but the way i have setup my script a new file should be made everytime it reaches maximum filesize and its not doing it . can you please help i am using the following command ...

/usr/bin/dumpcap -i eth0 -g -s 65536 -w /data/int0/int0 -b files:10000 -b filesize:24000 -b duration:600 -q &

capture ring buffer option not working

asked 22 Aug '12, 11:13

helloworld0722's gravatar image

helloworld0722
10779
accept rate: 0%

edited 24 Aug '12, 19:37

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

what is your wireshark version?

(24 Aug '12, 02:31) Kurt Knochner ♦

One Answer:

0

For limiting your capture to 2.4 GB the number of KB= 2516582.4, But dumpcap takes only decimal. Below is the command

"dumpcap -i eth0 -a filesize:2516582 -w output.pcap"

For example if i want to capture 10 KB from eth0 interface i will give it as

"dumpcap -i eth0 -a filesize:10 -w test.cap"

If i check the size of the size its has 77 bytes more.

[[email protected] harsha]# ll total 12 -rw-------. 1 root root 10317 Aug 24 17:14 test.cap

So same will be the case with your 2.4 GB file, ie.. the bytes will be rounded off by the packet length (packet will not be chopped).

answered 24 Aug '12, 05:00

Harsha's gravatar image

Harsha
46115
accept rate: 0%

edited 24 Aug '12, 05:03

(24 Aug '12, 05:04) Harsha

It would be more helpful to provide an answer for this question, not another very similar one. This just confuses other users.

The command line provided in this question clearly has -b filesize:24000 so the poster knows how to limit the capture file to some value, even if that isn't the 2.4GB as per the other question.

What they haven't told us is what does happen, "not working" isn't really sufficient to help much.

Using the trunk dumpcap (r44426) and a similar command line the ring buffers work for me.

(24 Aug '12, 05:28) grahamb ♦