Thanks for the reply. Further to my last point on capturing to multiple
files, what factors under WinXP are most likely to cause dropped packets
(apart from other applications running)? What is the best method to use in
gauging the ideal file size for multiple file capture to avoid dropped
packets?
Keith French.
----- Original Message -----
From: "Guy Harris" <gharris@xxxxxxxxx>
To: "Ethereal user support" <ethereal-users@xxxxxxxxxxxx>
Sent: Wednesday, March 01, 2006 6:44 PM
Subject: Re: [Ethereal-users] Ethereal Command Line Options
Keith French wrote:
When I start Ethereal V0.10.14 from the command line under WinXP SP2,
what is the exact syntax & units for capturing to multiple files?
Is it:-
ethereal -i 4 -k -a filesize:64 -b -w c:\traces\test.cap
I assume this starts a new file every 64M
64K; as the man page says:
-a <capture autostop condition>
Specify a criterion that specifies when Ethereal is to stop writing
to a capture file. The criterion is of the form test:value, where
test is one of:
...
filesize:value Stop writing to a capture file after it reaches a
size of value kilobytes (where a kilobyte is 1024 bytes). ...
and does not use a ring buffer?
Well, what that command line *should* do is report an error; the "-b" flag
takes an argument:
-b <capture ring buffer option>
Cause Ethereal to run in "multiple files" mode. In "multiple
files" mode, Ethereal will write to several capture files. When the
first capture file fills up, Ethereal will switch writing to the
next file and so on.
...
The criterion is of the form key:value, where key is one of:
duration:value switch to the next file after value seconds have
elapsed, even if the current file is not completely filled up.
filesize:value switch to the next file after it reaches a size of
value kilobytes (where a kilobyte is 1024 bytes).
files:value begin again with the first file after value number of
files were written (form a ring buffer).
but, in that command, the argument would be "-w", which isn't a valid
argument.
I've checked in a bug fix to catch that.
If you don't use "files:value", it'll have a ring buffer, i.e. it'll use
no more than the specified number of files; if you don't use
"files:value", it won't.
Also, "-a" doesn't, by itself, start multi-file mode; you need "-b" for
that.
So you'd probably want something such as
ethereal -i 4 -k -b filesize:65536 -w c:\traces\test.cap
Also when setting the kernel buffer with -B 20, does that set the buffer
to 20M.
Yes:
-B <capture buffer size (Win32 only)>
Win32 only: set capture buffer size (in MB, default is 1MB).
One final point - is there any calculations that can be performed on
available free memory on the PC and the ideal file size when capturing to
multiple files to avoid dropped packets?
I'm not sure whether the free memory size would affect the ideal file size
or not.
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 268.1.1/273 - Release Date: 02/03/2006
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 268.1.1/273 - Release Date: 02/03/2006