Wireshark-users: Re: [Wireshark-users] tshark or dumpcap ring buffer limitations

From: "Ryan Zuidema" <ryan.zuidema@xxxxxxxxxxx>
Date: Wed, 19 May 2010 11:54:28 -0700
I am curious what use case would require that many small files? Couldn't you
simply increase the individual filesize to 20MB or 50MB?

-Ryan

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Joseph Laibach
Sent: Wednesday, May 19, 2010 11:49 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] tshark or dumpcap ring buffer limitations

Jaap,
        Sounds great, but I have no clue about compiling. Looks like it's
time for some more reading and experimenting.

Thanks

Joe

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Jaap Keuter
Sent: Wednesday, May 19, 2010 2:35 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] tshark or dumpcap ring buffer limitations

Hi,

It's hardcoded, so you can get the source, increase the limit, recompile and
go.

Thanks,
Jaap

On 05/19/2010 08:17 PM, Joseph Laibach wrote:
> Is there a way to remove that limit or override it?
>
> Thanks
>
> Joe
>
> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Jaap Keuter
> Sent: Wednesday, May 19, 2010 2:07 PM
> To: Community support list for Wireshark
> Subject: Re: [Wireshark-users] tshark or dumpcap ring buffer limitations
>
> On 05/19/2010 07:38 PM, Joseph Laibach wrote:
>> All,
>>
>> I'm running a continuous capture of data. I'm trying to use a ring
>> buffer of 25000 files with an 8mb file size. The problem is that the
>> ring buffer starts overwriting after 10000 files. I've tried it with
>> dumpcap and tshark. The command is using the -b files:25000 -b
>> filesize:8192. Is there a limitation to the size of the ring buffer for
>> dumpcap and/or tshark?
>>
>> Thanks
>>
>> Joe
>>
>> - Wireshark V1.2.8
>>
>> - Windows 2003 Server R2 64bit
>>
>> - WinPcap v4.1.1
>>
>
> Hi,
>
> That's a fixed limit:
>
> jaap@host:~/src/wireshark/trunk$ grep RINGBUFFER_MAX_NUM_FILES *.h
> ringbuffer.h:#define RINGBUFFER_MAX_NUM_FILES 10000
>
> Thanks,
> Jaap

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
 
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe



This communication is for informational purposes only.  It is not intended
as an offer or solicitation or as an official confirmation.  Market prices
and other information are not guaranteed as to completeness or accuracy and
are subject to change without notice.  Schonfeld Group reserves the right to
monitor and review the content of all messages sent to or from this e-mail
address.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
 
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe