Hey all, we are running a command line wireshark as shown below. Dumpcap -i 1 –b files:100 –b filesize:100000 –w e:\wireshark\sitenum_p.pcap Today it runs for 100 files and shuts down, I believe by the syntax this is by design. Looking for the ability for it to write the 100 or more files and then once completed start over overwriting the directory as needed. Any way to do this via command line? Mike asked 14 Jun '16, 04:21  2hype4u showing 5 of 7 show 2 more comments |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
What is your OS and which version and what is your Wireshark version?
Wireshark 2.0.3, WIndows 2012 R2
Your command should work (I have a line like that running exactly as you want it to) - unless you specify an autostop condition the ringbuffer should go on until you stop it manually.
This works as expected for me on Win 7 and I don't think the different OS will change anything in dumpcap behaviour.
As a test, try reducing the value of the
filesandfilesizearguments just to see what happens quite quickly.not sure why but it stops after running the 100, like clockwork. I actually have my NOC monitoring for when it stops so we can restart it. Not very efficient but we need the captures for troubleshooting. Not sure what is causing it to stop then.
What is the packet rate on the interface you monitor? Is it a saturated link?
What is the
edrive? Is it on a remote server? Does it stop after 100 files if you write to a local drive?Also, what version of Wireshark/dumpcap are you using?