First, the system: Ubuntu server 16.04, up to date as of today tshark 22.02 installed from repositories If I run tshark, I see the text capture messages scrolling on the screen, so I know I am seeing data coming into the capture PC. When I attempt to capture to a filename, I see the data being written to the file. When I attempt to capture using a ring buffer of 5 files, each 1024k, I receive the following error: tshark: Maximum capture file size specified, but capture isn't being saved to a file. The command I am using is: tshark -b filesize:1024 files:5 -w outfile.pcapng I have also tried with no file extension and using pcap as the extension. My overall goal is to have this machine installed in a remote location, headless, where I can access it via SSH to do the captures, then retrieve the files using SFTP and analyze them on my own machine. I am performing all of the above over SSH already, the only part not working is the ring buffer, which is critical for this application. asked 08 Aug '16, 08:37  rtstarliper |
One Answer:
I think you need to repeat the "-b" parameter for each ring buffer setting. In your case: tshark -b filesize:1024 -b files:5 -w outfile.pcapng answered 08 Aug '16, 08:46  Jasper ♦♦ |
That appears to have done the trick. Running a test now to make sure I get multiple capture files before I ship this box out. Thanks.