Wireshark mailing list archives

Re: dumpcap -c caveat [Re: Can I get Wireshark to capture constantly, but not count to infinity ?]

From: Arvinder Virk <arvinder.virk () gmail com>
Date: Thu, 26 Aug 2010 14:13:04 +0100

I have this working with tshark and have successfully used it recently. Run
the following command:

tshark -b filesize:20480 -b files:1000 -i eth3 -w /var/dumpcap/eth3

to capture continuously, chunking individual files to 20MB, using a ring
buffer of at most 1000 files.

On 26 August 2010 13:00, kevin creason <ckevinj () gmail com> wrote:

This thread was very helpful-- but it wasn't working for me. It only took
the first -b flag, I had to make the duration/filesize option a "-a" flag
and only the "files:#" on the -b flag.

I went with the filesize rotation rather than a duration because the files
from the duration of 120 seconds ranged from a few mb to 500mb on my small
business network. A 500mb file in Wireshark is not easy to work with!

I want to have several hours worth to go back and look at, so we'll see how
this will work. Here's my command:

dumpcap -a filesize:6000 -b files:150 -i eth3 -w /var/dumpcap/eth3


-Kevin
/*“ I am looking for a lot of men who have an infinite capacity to not know
what can't be done. ” -- Henry Ford  */



On Tue, Aug 24, 2010 at 7:42 PM, Gregorio Tomas Focaccio <
public.focaccio () gmail com> wrote:

Be aware that the -c argument appears to be absolute and overrides any of
the ring buffer arguments.  My command: dumpcap -b duration:1800 files:5 -i
4 -c 5000 -w 915PBLbr0 stopped at 5000 packets and did not start writing to
the next file.  My new, and hopefully final command for capturing all packet
seen by the 4th interface of dumpcap -D list to a ring-buffer of 5 files
with a capture duration of 30 minutes each is:  dumpcap -b duration:1800
files:5 -i 4 -w 915PBLbr0

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org
?subject=unsubscribe



___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org
?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

dumpcap -c caveat [Re: Can I get Wireshark to capture constantly, but not count to infinity ?] Gregorio Tomas Focaccio (Aug 24)
- Re: dumpcap -c caveat [Re: Can I get Wireshark to capture constantly, but not count to infinity ?] kevin creason (Aug 26)
  - Re: dumpcap -c caveat [Re: Can I get Wireshark to capture constantly, but not count to infinity ?] Arvinder Virk (Aug 26)