This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Dumpcap issue while splitting files by duration

0

Hi there, I've an issue with dumpcap command. First of all i'm working in a Linux environment (on Raspbian, on a Raspberry Pi, exactly). I've a PHP frontend, which ask the user to type parameters, and then when he launch the capture (by clicking on a button), the following php code is executed :

shell_exec("sudo nohup dumpcap -P -f \"".$fport."\" -b duration:".$ftime." -i ".$finterface." -w /mnt/hdd/files_to_proceed/REC.pcap > /dev/null &");

My Raspberry Pi is well connected to the network, the capture correctly start and all the packets are captured and stored in correct files. That's a good point. My problem is, if i chose 5min duration for example, dumpcap will correctly split files every 5 minutes, until he magically stops splitting and store all the packets in the same .pcap file during more than 5 minutes. And, about a random time, he suddenly resplit files every 5 minutes correctly. After many tests, i figured out that :
- This issue is independent of the amount of time chosen
- It appears at and for a random time
- Sometimes it doesn't show up and the whole capture is a success
Finally, the tests were fulfill during whole nights (so for many hours), simply because this feature is supposed to work 24 hours a day for several months.

I don't know if you guys already had that issue, if it's due to dumpcap lib or not, but i really need help on this !

asked 24 Apr '14, 06:03

Lecclem's gravatar image

Lecclem
1112
accept rate: 0%

One Answer:

1

Sounds like a bug to me, and a tricky one since it can not always be reproduced.

Most people I know do not use the "-b duration" switch since can get you into trouble when the line has bursty traffic patterns. Which is why usually "-b filesize" is used instead, to keep the capture files consistent in size (e.g. to be able to load them). So if you need time based splitting it is quite possible that this problem did not occur to anyone else, or they just used the filesize based splitting as a workaround and didn't say anything :-)

You might want to head over to the Bugtracker to open a report.

answered 24 Apr '14, 06:26

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Actually I think there's already a similar bug report for this. It's quite old so a report that it's still a problem would be useful.

(24 Apr '14, 11:55) JeffMorriss ♦

Thanks for your answers ! I am currently working on my own way to capture packets (including time filter) through libpcap library in C, i see no other way (besides use a filesize filter, which will be my ultimate last solution)... But i'm glad that bug was reported and i'll try to "up" that report ASAP.

(29 Apr '14, 01:02) Lecclem