[luke devon <luke_devon@xxxxxxxxx>]

Hi Jaap, 

Yes, the actual problem is dumpcap process stopped unexpectedly. It happened two times. However, I will start to debug this issue this Monday onwards. I will update you the status.

Thank you

Luke.

On Saturday, 26 May 2018, 3:12:46 PM GMT+8, Jaap Keuter <jaap.keuter@xxxxxxxxx> wrote:

Hi,

So, the actual problem you are talking about is that the dumpcap process stopped unexpectedly?

This is uncommon unless there are external factors in play, e.g. , a network interface went down, the output file got (re-)moved before complete, the OOM killer kicked in. If you can find evidence of this, that might explain it. 

Was it a one time occurrence, or a reproducible event? This would allow further study of the conditions.

Thanks,

Jaap

On 26 May 2018, at 04:40, luke devon via Wireshark-users <wireshark-users@xxxxxxxxxxxxx> wrote:

Hi Jaap, 

Thank you for the reply and the suggestion. However, I have a script that controls the hard disk space. It won't exhaust the storage.  I have used the same setup with tcpdump since the last couple of years. But I had to deal with another network interface, that is why I decided to use dumpcap or tshark.

I will not let go the storage space beyond 90% of it. Fully controlled.

  

-b duration:15  --> jump to a new dump, likewise, it continues. usually, PCAP file size is 70-75MB and once compressed it will be 18-20MB. 

anyway, the issue that I have faced with dumpcap was really unexpected. Even there is nothing in the man pages to have a try. I was looking for a  guidance. if anyone out there who has faced this problem before.

Regards

Luke

On Saturday, 26 May 2018, 1:39:18 AM GMT+8, Jaap Keuter <jaap.keuter@xxxxxxxxx> wrote:

Hi,

You should probably read the manual page of dumpcap. You’re running it in multiple files mode.

It is supposed to work this way. You may want to consider adding -b files:<value> to define the number of capture files to store to prevent exhausting your storage.

If configured this way you can indeed run it for an extended period. Personally I’ve run it for a couple of months on a production network like this.

Thanks,

Jaap

On 25 May 2018, at 04:10, luke devon via Wireshark-users <wireshark-users@xxxxxxxxxxxxx> wrote:

Hi

When generating the output of dumpcap, I am getting following formt of the out put.

outfile_00001_dateformat.pcap

dumpcap -i eth1 -i eth -b duration:15 -w /pathtopcap/test.pcap  <-- this is the command

test_01704_20180524193447.pcap <-- final file name

command was running since yesterday but when I am checking the status today, it has been stoped after few hours.dumpcap process has been stopped. 

May I know is there a way to resolve this issue? I wanna run this command continously, days or months or years... until the process stoped manually.

Thank you

Luke 

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe