Wireshark-users: Re: [Wireshark-users] dumpcap -c caveat [Re: Can I get Wireshark to capture cons

From: Arvinder Virk <arvinder.virk@xxxxxxxxx>
Date: Thu, 26 Aug 2010 14:13:04 +0100
I have this working with tshark and have successfully used it recently. Run the following command:

tshark -b filesize:20480 -b files:1000 -i eth3 -w /var/dumpcap/eth3

to capture continuously, chunking individual files to 20MB, using a ring buffer of at most 1000 files.

On 26 August 2010 13:00, kevin creason <ckevinj@xxxxxxxxx> wrote:
This thread was very helpful-- but it wasn't working for me. It only took the first -b flag, I had to make the duration/filesize option a "-a" flag and only the "files:#" on the -b flag.

I went with the filesize rotation rather than a duration because the files from the duration of 120 seconds ranged from a few mb to 500mb on my small business network. A 500mb file in Wireshark is not easy to work with!

I want to have several hours worth to go back and look at, so we'll see how this will work. Here's my command:

dumpcap -a filesize:6000 -b files:150 -i eth3 -w /var/dumpcap/eth3


-Kevin
/*“ I am looking for a lot of men who have an infinite capacity to not know what can't be done. ” -- Henry Ford  */



On Tue, Aug 24, 2010 at 7:42 PM, Gregorio Tomas Focaccio <public.focaccio@xxxxxxxxx> wrote:
Be aware that the -c argument appears to be absolute and overrides any of the ring buffer arguments.  My command: dumpcap -b duration:1800 files:5 -i 4 -c 5000 -w 915PBLbr0 stopped at 5000 packets and did not start writing to the next file.  My new, and hopefully final command for capturing all packet seen by the 4th interface of dumpcap -D list to a ring-buffer of 5 files with a capture duration of 30 minutes each is:  dumpcap -b duration:1800 files:5 -i 4 -w 915PBLbr0
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe