What we're doing at the moment is running a 10-file ring buffer, then running a script to check that buffer once per minute to see if the files have rolled one or more times. Any files that have rolled are copied and gzipped into another directory.
Catches:
1) The last packet in the file is always mangled. Not sure why this is, but it is.
2) You have to copy all except for the most recent file, since that's the file Ethereal is currently writing data to. All of the other files are fair game.
3) You'll need to use files large enough that your buffer doesn't completely roll over (roll more than 9 files) before your copy process can duplicate all of them. Larger files = more time.
4) Naming convention of some sort. We name the files after the timestamp.
5) Disk filling up. We run a monitor script to remove the oldest file in the dir subtree if the available disk space on the volume falls below 10GB.
Hope that helps!
--J
> -----Original Message-----
> From: Kurt A. Bernard [mailto:kabernard@xxxxxxxxxxxx]
> Sent: Monday, January 27, 2003 1:23 PM
> To: ethereal-users@xxxxxxxxxxxx
> Subject: [Ethereal-users] Ring buffer without the ring
>
>
> I'd like to use ethereal to capture a weeks worth of traffic
> for post analysis.
>
> I have used sniffer to do the same and can tell it to collect
> x files of y size.
>
> Has anyone requested a mod to the ring buffer capability to
> allow for a straight collection of 500 files of 12MB before?
>
> I haven't looked at the code yet but I'm hoping I'll be able
> to massage it into cooperating if there is not a better
> solution out there. (I can't use sniffer because it will not
> let me adjust my output file format or the summary)
>
>
> Any help would be appreciated!
>
> thanks, Kurt
>
>
> Kurt Bernard
> TECHSOFT Inc.
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>