This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Ring Buffer stops capture after 1135 iterations

0

Hi All,

I am trying to capture packets for a really long duration of time. In order to save my hard disk from getting filled up I chose to use ring buffer.

The option I gave were "-b file:30" Strangely the capture stops at 1135th iteration. What is the max file size for these 30 files. If it was hitting the memory limit then why did it not complain after 1st iteration?

Thanks and Regards,

Aparna N

asked 14 Jan '15, 22:18

Aparna's gravatar image

Aparna
6558
accept rate: 0%

edited 14 Jan '15, 22:19

One Answer:

1

If you are capturing with tshark, you will eventually run into the memory limit problem, see the following questions.

https://ask.wireshark.org/questions/34035/tshark-memory-usage-explanation-needed
https://ask.wireshark.org/questions/31648/tshark-uses-all-memory-on-mavericks-triggering-out-of-application-memory-errors
https://ask.wireshark.org/questions/25091/wireshark-tshark-out-of-memory-problem

Instead, you should do the pure capturing with dumpcap and later the analysis with Wireshark or tshark.

Regards
Kurt

answered 15 Jan '15, 00:53

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 15 Jan '15, 03:23

grahamb's gravatar image

grahamb ♦
19.8k330206

Hi Kurt, Thank you for the apt answer. I am using tshark currently. I shall try dumpcap. Will know if it does the trick for me in 24-28 hours.

(15 Jan '15, 01:58) Aparna

It will ;-))

(15 Jan '15, 01:59) Kurt Knochner ♦