Ethereal-users: Re: [Ethereal-users] Ethereal Command Line Options

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Wed, 01 Mar 2006 10:44:17 -0800
Keith French wrote:
When I start Ethereal V0.10.14 from the command line under WinXP SP2, what is the exact syntax & units for capturing to multiple files? Is it:- ethereal -i 4 -k -a filesize:64 -b -w c:\traces\test.cap I assume this starts a new file every 64M 

64K; as the man page says:

 -a  <capture autostop condition>
     Specify a criterion that specifies when Ethereal is to stop writing
     to a capture file.  The criterion is of the form test:value, where
     test is one of:

	...

     filesize:value Stop writing to a capture file after it reaches a
     size of value kilobytes (where a kilobyte is 1024 bytes). ...


and does not use a ring buffer?
Well, what that command line *should* do is report an error; the "-b" flag takes an argument: 

 -b  <capture ring buffer option>
     Cause Ethereal to run in "multiple files" mode.  In "multiple
     files" mode, Ethereal will write to several capture files. When the
     first capture file fills up, Ethereal will switch writing to the
     next file and so on.

	...

     The criterion is of the form key:value, where key is one of:

     duration:value switch to the next file after value seconds have
     elapsed, even if the current file is not completely filled up.

     filesize:value switch to the next file after it reaches a size of
     value kilobytes (where a kilobyte is 1024 bytes).

     files:value begin again with the first file after value number of
     files were written (form a ring buffer).
but, in that command, the argument would be "-w", which isn't a valid argument. 

I've checked in a bug fix to catch that.
If you don't use "files:value", it'll have a ring buffer, i.e. it'll use no more than the specified number of files; if you don't use "files:value", it won't.
Also, "-a" doesn't, by itself, start multi-file mode; you need "-b" for that. 

So you'd probably want something such as

	ethereal -i 4 -k -b filesize:65536 -w c:\traces\test.cap
Also when setting the kernel buffer with -B 20, does that set the buffer to 20M. 

Yes:

 -B  <capture buffer size (Win32 only)>
     Win32 only: set capture buffer size (in MB, default is 1MB).
One final point - is there any calculations that can be performed on available free memory on the PC and the ideal file size when capturing to multiple files to avoid dropped packets?
I'm not sure whether the free memory size would affect the ideal file size or not.