Ethereal-users: Re: [Ethereal-users] streaming capture to multiple files

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Ian Schorr <spamcontrol2@xxxxxxxxxxx>
Date: Wed, 29 Oct 2003 17:16:38 -0500
What you can't do currently, however, is instruct Ethereal to stop after it writes a certain number of files or bytes. You can tell it to stop after a certain number of frames, and after a certain number of seconds, but not tell it to record up to a certain number of bytes if saving to multiple files.
Therefore, if you're simply trying to start capturing at a certain point (perhaps something triggered by a script after an event of some kind) and then attempt to capture as much as possible within a certain size limit (for example, up to the available size of the disk), you won't be able to do it.
You could, actually, save to one very large file (you can specify a maximum size in bytes if not using the ring buffer) and then split the file with, say, editcap; but chances are that filesize limitations will make this impractical for you. 

Ian

Guy Harris wrote:



On Oct 29, 2003, at 1:46 PM, R. Benjamin Kessler wrote:
Hi all, I'm looking to emulate the capabilities of NAI's Sniffer where you can perform a "capture to file" and have it save some number of files of xx 
MB size.
I don't necessarily need the "circular buffer" capabilities that Sniffer has (e.g. capture up to 100 files of 32MB each, when you're done writing file # 100, overwrite file #1, 2, 3, etc. as needed) but would like to have a very long term capture running but have it broken into smaller, more manageable 
chunks.
Current versions of Ethereal have the ability to do that. It's had that "circular buffer" capability for a while (we call it a "ring buffer"), and it has recently added the ability to have an "infinite" ring buffer, i.e. it doesn't overwrite files, but just keeps writing new files.
See the "Use ring buffer" item in the "Capture file(s)" section of the "Capture Options" dialog box. "Number of files" is the number of files in the circular buffer - 0 means "infinite". To specify the size, see the "Rotate capture file every [N] kilobyte(s)" item in the "Capture limits" section of that dialog box.
From the command line (of Ethereal or Tethereal), see the "-a" and "-b" command-line flags.