I read capture length to be 65535 packets and guessed the ring buffer was
related to that. Now I see that is the number of bytes per packet.
I guess the ring buffer is handy when you want to limit file sizes, yet keep
capturing. This is nice when you need to ZIP and e-mail files I guess.
Thanks Guy!
Joe Aiello
Systems Engineer
Sylantro Systems
-----Original Message-----
From: Guy Harris [mailto:guy@xxxxxxxxxx]
Sent: Thursday, January 10, 2002 5:33 PM
To: Joe Aiello
Cc: ethereal-users@xxxxxxxxxxxx
Subject: Re: [Ethereal-users] Looking for a description of the ring
buffer
> I am guessing it means how many temporary 65535 packet files to use before
> it starts to overwrite packets (SWAG).
65535 is not a wired-in ring buffer parameter of any sense, so that's
not it.
The manual page says:
OPTIONS
-a Specify a criterion that specifies when Tethereal is to
stop writing to a capture file. The criterion is of the
form test:value, where test is one of:
duration
Stop writing to a capture file after value seconds
have elapsed.
filesize
Stop writing to a capture file after it reaches a
size of value kilobytes (where a kilobyte is 1000
bytes, not 1024 bytes).
-b If a maximum capture file size was specified, causes
Ethereal to run in "ring buffer" mode, with the
specified number of files. In "ring buffer" mode,
Ethereal will write to several capture files; the name
of the first file, while the capture is in progress,
will be the name specified by the -w flag, and
subsequent files with have .n appended, with n counting
up.
When the first capture file fills up, Ethereal will
switch to writing to the next file, until it fills up
the last file, at which point it'll discard the data in
the first file and start writing to that file. When
that file fills up, Ethereal will discard the data in
the next file and start writing to it, and so on.
When the capture completes, the files will be renamed to
have names based on the number of the file and on the
date and time at which packets most recently started
being written to the file.