On Sat, Mar 14, 2009 at 2:09 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
>
> On Mar 12, 2009, at 8:15 PM, Chris Henderson wrote:
>
>> I am running wireshark/ ethereal version 1.0.4 on Linux. My only
>> network interface is eth0 and when I start a live capture on eth0, it
>> stops capturing any packet after a while. It's hard to say when it
>> actually stops the capture as it's quite random. It doesn't give any
>> error, just sits there not capturing anything; although in the bottom
>> panel I can see: eth0: live capture in progress message. I have over
>> 10GB disk space in my /tmp directory.
>
> Is dumpcap still running when packets stop arriving?
I started dumpcap after wireshark stopped capturing and dumpcap
staretd capturing packets.
> What happens if you try running dumpcap, or tcpdump, from a terminal
> window? Does it also stop seeing packets after a while?
dumpcap stops after a while as well. Here's the output
# dumpcap
File: /tmp/etherXXXXm6M5no
Packets: 13831
it stopped at that. when I did ^c it said: Packets dropped: 17716
the file size (/tmp/etherXXXXm6M5no) grew to 2042160 and stopped as well.
> Are you using ring buffers?
not sure what that is - so probably no.