This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to: buffering recent packets only?

0

I want to debug:

  • WireShark should run continuously, since I don't know when the bug shows up.
  • I don't want/need to save all packets, as WireShark will crash.
  • When the bug shows up, I will stop the WireShark.
  • When it stop, I hope I can see/save the last few packets (for example 1000 packets)
  • (so it should get rid of all previous packets to avoid low memory)

So is it possible to do this way? How?

Thanks!

asked 19 Nov '15, 08:21

jerryws's gravatar image

jerryws
11115
accept rate: 0%

edited 19 Nov '15, 08:27

Thanks all you guys!

I tried the solution from Kurt, and it works well: much better than my expectation!

(19 Nov '15, 11:24) jerryws
1

So, have fun with it!

Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions. For extra points you can up vote the answer (thumb up).

(19 Nov '15, 11:57) Kurt Knochner ♦

Yes, I checked and thumbed up!

Haha, first time to know and use these fun tools.

(19 Nov '15, 12:22) jerryws

3 Answers:

2

You can't do that with Wireshark, as it will run out of memory. Please use dumpcap instead with a file ring buffer.

dumpcap -ni <interface> -w output.pcap -b filesize:100000 -b files:50

This will generate 50 files, each 100 Mbytes large. The 51st file will overwrite the 1st. You can leave this running until the problem shows up. Then stop dumpcap and open the last few files (maybe just the last one).

Please see the dumpcap man page for more options.

https://www.wireshark.org/docs/man-pages/dumpcap.html

Regards
Kurt

answered 19 Nov '15, 09:13

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

1

Use dumpcap, not Wireshark for continuous captures.

How long are you going to sit staring at it waiting for the issue to happen?

If you use the -b options you can have multiple files of a set size or duration so you can maintain lots of history in smaller file chunks that you can then grab the file of interest.

answered 19 Nov '15, 09:12

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

1

Hmm, actually you can do this kind of thing with Wireshark too. In the Capture Options dialog select "Use multiple files" mode (Gtk+ GUI; the Qt/2.0 GUI's interface is somewhat different) and select how often you want a new file. From the sounds of it you also want to select ring buffer mode (and specify how many files you want in the buffer).

Doing this in Wireshark can be helpful if you want to see the packets while you're waiting for the failure, for example if you need to see the packets to know if you've hit the bug.

Theoretically Wireshark should free most (if not all) of its memory each time it closes the but I'm pretty sure memory usage will still grow a bit while doing this. So if you plan to run for a very long time Kurt or Graham's suggestion to use dumpcap is certainly better.

answered 19 Nov '15, 11:00

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%