This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

stops instead of creating new file

0

Hi,

I have a script I made that is run on 4 pcs every day for 8 hours and saved to a mapped shared drive (edited only for the folder location on the share to differentiate them).

2 PCS this thing runs fine on, the other 2 pcs T shark stops at 200MB and doesn't create a new file. At the end of the day two PCS have generated 5GB worth of 200MB files which is what I want, while the other 2... 200MB. This is the script. "C:\Program Files\Wireshark\tshark.exe" -i 1 -a duration:28800 -a filesize:20480 -a files:512 -w "M:\Departments\tcs\Issue Log-Proclarity\Desktop\test\%dt%.pcap"

asked 05 Aug '14, 08:39

weeksa's gravatar image

weeksa
11112
accept rate: 0%


One Answer:

0

Don't use tshark, use dumpcap. tshark (and wireshark) store state for reassembly and at some point WILL run out of memory regardless of how many capture files you create, and are not designed for long-term capture.

Also saving to a shared drive probably isn't the greatest idea, as a) it is much slower than a local drive (which might not be an issue if your traffic being captured is minimal) and b) might fail if the network connection to the mapped drive is lost.

If you explained what you are trying to achieve then we might be able to offer a better solution.

answered 05 Aug '14, 08:45

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

What's dumpcap?

Sorry, I'm new to this and just learnt the script. I was thrown into a project where they want to monitor the network on these 4 pcs and then check logs to see differences and spot an apparent slowness issue with one application we use. Because of that, that shared drive was setup.

So what I did was learn how to create a batch file (the one above - "C:\Program Files\Wireshark\tshark.exe" -i 1 -a duration:28800 -a filesize:20480 -a files:512 -w "M:\Departments\tcs\Issue Log-Proclarity\Desktop\test\%dt%.pcap"

and from there made a vbscript to make that run in the background (so the users won't accidentally close it) - Set WshShell = CreateObject("WScript.Shell") WshShell.Run chr(34) & "C:\script\wshark.bat" & Chr(34), 0 Set WshShell = Nothing

and from there created a Monday-Friday windows task to launch the script at 9am. It works flawlessly on two pcs. The other two I set the filesize higher since it won't re-generate the new file. So every 2GB I go to those PCs and manually run the script.

(05 Aug '14, 09:05) weeksa

dumpcap is a component of the wireshark suite that actually handles the capturing tasks. tshark and Wireshark run dumpcap to capture traffic. See the dumpcap man page here.

Is it possible there are quota limits for the users on the machines that don't work?

(05 Aug '14, 09:18) grahamb ♦

How would I find out if there is a quota limit? to the best of my knowledge there is nothing stopping this, especially because increasing the filesize from 200MB to 4GB yields one giant 2GB file... They never go past 2GB

(05 Aug '14, 10:16) weeksa