This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark Command Line Dumpcap

0

Hey all, we are running a command line wireshark as shown below.

Dumpcap -i 1 –b files:100 –b filesize:100000 –w e:\wireshark\sitenum_p.pcap

Today it runs for 100 files and shuts down, I believe by the syntax this is by design. Looking for the ability for it to write the 100 or more files and then once completed start over overwriting the directory as needed. Any way to do this via command line?

Mike

asked 14 Jun '16, 04:21

2hype4u's gravatar image

2hype4u
6112
accept rate: 0%

What is your OS and which version and what is your Wireshark version?

(14 Jun '16, 05:27) Jaap ♦

Wireshark 2.0.3, WIndows 2012 R2

(14 Jun '16, 16:19) 2hype4u

Your command should work (I have a line like that running exactly as you want it to) - unless you specify an autostop condition the ringbuffer should go on until you stop it manually.

(15 Jun '16, 09:40) Jasper ♦♦

This works as expected for me on Win 7 and I don't think the different OS will change anything in dumpcap behaviour.

As a test, try reducing the value of the files and filesize arguments just to see what happens quite quickly.

(15 Jun '16, 14:01) grahamb ♦

not sure why but it stops after running the 100, like clockwork. I actually have my NOC monitoring for when it stops so we can restart it. Not very efficient but we need the captures for troubleshooting. Not sure what is causing it to stop then.

(16 Jun '16, 01:36) 2hype4u

What is the packet rate on the interface you monitor? Is it a saturated link?

(16 Jun '16, 02:12) Jaap ♦

What is the e drive? Is it on a remote server? Does it stop after 100 files if you write to a local drive?

Also, what version of Wireshark/dumpcap are you using?

(16 Jun '16, 10:38) cmaynard ♦♦
showing 5 of 7 show 2 more comments