Hi ! Sorry for bad english :/ I'm using Dumpcap in command line with different parameters... So, this command contains lot of filter, anyway, it's not the problem. This problem is the " -b duration:600" part. Sometimes, dumpcap can listen the network a whole day without any bug, and the next day, it stops spliting files after few hours... I notice that too: When dumpcap splits the file after long random period (during the "bug")... The command crash, we can see it running with "top" command but... not working anymore
Running on Raspbian Wheezy Thank's for helping ! Have a good day ! Vincent. asked 09 Jul '13, 06:19  FriZBy76 edited 09 Jul '13, 06:48 showing 5 of 7 show 2 more comments |
2 Answers:
Sounds like bug 7423, could you try the latest 1.8 (1.8.8) or 1.10 (1.10.0) release? answered 09 Jul '13, 06:57  SYN-bit ♦♦ edited 09 Jul '13, 06:58 Trying it I'll start a capture and come back here to tell you what happen (09 Jul '13, 07:04) FriZBy76 I can't build Wireshark 1.10 i've got some errors... I lose my morning trying it :( (10 Jul '13, 02:49) FriZBy76 |
Can you please run these commands, while the problem occurs, and then post the output here?
Also this:
If the system is in this state, please get the PID of dumpcap and wireshark and run strace on both.
Then post the files /var/tmp/*.trace here. answered 10 Jul '13, 01:24  Kurt Knochner ♦ edited 12 Jul '13, 03:09 So :
I'll execute strace soon (12 Jul '13, 02:10) FriZBy76 Does the file (12 Jul '13, 02:14) Kurt Knochner ♦ Still growing up... is now 181.4 Mio (12 Jul '13, 02:15) FriZBy76 Strace result : (12 Jul '13, 02:17) FriZBy76 if this the strace of dumpcap? If so, I wonder why these paths are in the strace output !?! Do they make any sense to you? Are you sure you traced the dumpcap process PID? If you run the strace command again, please use these parameters.
(12 Jul '13, 02:56) Kurt Knochner ♦ I made this command : strace -f -o /var/tmp/19259.trace -p 19259 19259 is the PID of dumpcap Paths you mention are paths I use with my Web application to download the pcap files. I'll make a new strace. Coming back in a few minute (12 Jul '13, 03:46) FriZBy76
Hm.. are you sure PID 19259 is just dumpcap, and not a script that starts dumpcap? Looks kind of strange. How does your web application work (start of dumpcap, download of files, etc.)? (12 Jul '13, 03:49) Kurt Knochner ♦ Trace file with the new command you mentioned : (12 Jul '13, 03:50) FriZBy76 There is HTML code in the output of strace. I don't see how this could be the strace output of the dumpcap process, although the PID (19259) is the same as in the lsof output, which itself looks O.K. !??! Could you please post the output of
So, again: How do you call dumpcap in your application (what is /var/www/command/tshark)? Maybe that's the reason for the problem. (12 Jul '13, 03:56) Kurt Knochner ♦ There is HTML in because I'm listening 80 port (for testing). And what you see is just a dirt Ajax response :) In this case, Dumpcap was started by PHP-CGI with shell_exec(sudo nohup dumpcap -P -f [parameters] -i eth0 -w /mnt/hdd/tsar_files_to_proceed/REC.pcap > /dev/null &) PHP-CGI, LIHTTPD and DUMPCAP have 3 differents PIDs. So I'm pretty sure 19259 is the good one (corresponding to dumpcap in TOP) So, to download a file, I've just put a symbolic link into WWW folder wich one point to the /mnt/hdd/tsar_data/ folder. (Sorry for new response, the site consider me like a BOT :o ) (12 Jul '13, 04:04) FriZBy76 auxww command : dumpcap : (12 Jul '13, 04:11) FriZBy76
Ah, of course. That makes sense!
O.K. I also think it's the correct PID now (see my comment about lsof). Sorry for the confusion!! (12 Jul '13, 04:18) Kurt Knochner ♦ tshark is not used anymore in our app, we use dumpcap. pstree : So, /var/www/command/tshark is a folder with different files in to configure and launch dumpcap command from the web interface. The one you look for is /var/www/command/tshark/sniff.php
Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
|
Which version of dumpcap are you using and which OS version?
dumpcap 1.8.2 running on Raspbian Wheezy ( Edited :) )
are you sure the filesystem is not filled up with capture files and that's the reason why it stops working?
Sure ! Files are writen on an external drive (8GB, 5,5GB Free !) and this phenomenon is tottaly random... I don't understand
Ok, I start a capture. Waiting the bug ^^' ...
please let strace run for 10-30 seconds!
BTW: here is an update to the lsof command:
BTW: Are there any messages in the output of dmesg about the mounted disk?
Se my new answer...Comment are restricted, the response command is to long =)