dumpcap -f question [Re: Can I get Wireshark to capture constantly, but not count to infinity ?]

[Gregorio Tomas Focaccio <public.focaccio () gmail com>]

Phil,

Thanks for the dumpcap tip, it looks like a near perfect fit to my needs.
 You are right about a ring-buffer being superior to 'clearing the slate',
that is what I wanted, but didn't have a word for it.  I wish there was a
way to configure a ring-buffer within Wireshark.

The documentation I found for dumpcap did not say what happens if the -f
filter argument is left off the dumpcap command.  Do you know what happens?


I ran dumpcap -D to get: 1. eth0 2. wlan0 3. tap0 4. br0 5. eth1 6. usbmon1
(USB bus number 1) [etc.]  So, here is what I hope the command: *dumpcap -b
files:5 -i 4 -c 16500 -w 915PBLbr0 * accomplishes:  1. Starts dumpcap and
allows for a ring buffer of 5 files, each with: 915PBLbr0 in the file name
 2. Captures 16,500 packets (for an individual capture file size less than
25M assuming 1500 byte MTU) in each file  3. Captures any (don't know what
happens without -f argument) packet seen by the bridge0 virtual interface.
 4. Never creates more that 5 capture files.

How does the command look to you?

Thanks,
Greg

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe