This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

revive/continue ring buffer

0

Hi,

for reconstruction of network attacks or failures I am currently working on a system that stores all incoming network-traffic on a harddrive. So far this works completely fine, also due to the ring buffer feature. But: After shutdown I would very much like to continue my existing ring buffer without having to manually delete the old files. Unfortunately I did not yet find any hint on how to achieve this. Ideally I would like to pass an argument to tshark which contains the last logfile and it continues the ring buffer.

Does this feature exist? Or does anyone have any helpful suggestions for me?

Thanks in advance, straw

asked 18 Dec '13, 12:55

straw's gravatar image

straw
31116
accept rate: 0%

edited 19 Dec '13, 02:49


One Answer:

2

I'm not sure but I guess dumpcap keeps a list of files in memory and deletes the oldest when the limit is reached and a new file is created. If that is the case I'm pretty sure that this list is not written to disk when dumpcap exits, so when you start a new session it doesn't "know" the old file names anymore.

Maybe a feature request to scan the directory for files with the exact same name pattern when starting dumpcap could be added to http://bugs.wireshark.org, but it would most likely also require a new command line switch to force that behavior. Otherwise ppl will overwrite their old files by mistake because they do not expect this to happen.

answered 18 Dec '13, 14:46

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Hi Jasper, thanks for your reply. As far as I found out so far the list of files is indeed stored in memory which explains why it does not delete those old files of course. Thanks for the hint writing a feature request. Any other ideas on how I could solve my problem until this feature makes it to a stable version (if so)?

(19 Dec '13, 02:52) straw

Any other ideas on how I could solve my problem until this feature makes it to a stable version (if so)?

You could write a wrapper script that replaces dumpcap. Within the script, you should clean up the old files and then call the real dumpcap.

Regards
Kurt

(19 Dec '13, 04:50) Kurt Knochner ♦

Thanks Kurt, but I don't think I really will do this. Seems quite a lot of work to me.

(19 Dec '13, 06:15) straw
1

well, then your options are

  • do it manually
  • file an enhancement bug
(19 Dec '13, 15:21) Kurt Knochner ♦