Wireshark-users: Re: [Wireshark-users] tshark or dumpcap ring buffer limitations

From: Douglas Ross <doug_ross_59@xxxxxxxxxxx>
Date: Thu, 20 May 2010 22:25:37 +0000 (GMT)
Joseph,
 
Have you considered compressing the capture files?
If two of your concerns are the huge amount of disk space and consequent network traffic you need to manage this data?
 
I'm very new to Wireshark, but have used Ethereal in the past, and periodically compressed capture files and deleted the originals.
(eg. WinRar achieves a compression ratio of about 10/1)
 
Anyway, I made a script to automatically compress daily files into two archives per month. This not only reduced disk usage, but also dramatically reduced the number of files/folders.
 
If 1000 ring files is the hard coded limit, then auto compress and delete after every 500 or 800.
If "0" ring files implies no limit, then auto compress after whatever number is most convenient.
 
I used the capture file dts (date.time stamp) to determine which half-month archive it should be put in. eg:
...20100501... to ...20100515... I'd put in archive ...201051
...20100516... to ...20100531... I'd put in archive ...201052
(undoubtedly you'd make a finer split, perhaps into one or two archives per day ..)
(capture file name includes start of capture dts; system dts is at close of file (= start of next))
 
Hopefully, that will help solve the problems of volume of files, and waste of disk space and network capacity.
 
Similarly, I used scripts to help decompress whichever file I needed, based on dts.
 
Hope this helps for a relatively quick fix, at least to give you some ideas.
 
Good luck
Regards
Doug
 
PS. while you're scripting this (if you go down that route) you could consider doing first pass analysis, and filter out the stuff you're not interested in, and/or split the capture into known good and useful stuff; definite rubbish(discard); and possible trouble...
 

 

From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
To: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
Sent: Fri, 21 May, 2010 3:34:54 AM
Subject: Re: [Wireshark-users] tshark or dumpcap ring buffer limitations

Joseph Laibach wrote:
> All,
>
>                I’m running a continuous capture of data. I’m trying to
> use a ring buffer of 25000 files with an 8mb file size. The problem is
> that the ring buffer starts overwriting after 10000 files. I’ve tried it
> with dumpcap and tshark. The command is using the –b files:25000 –b
> filesize:8192. Is there a limitation to the size of the ring buffer for
> dumpcap and/or tshark?

Turns out that if you specify the number of files as 0 then
dumpcap/*shark will create an unlimited number of files.  I don't know
if that's acceptable or if you really need it to roll over at 25,000,
but it's an option.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe