Wireshark-users: Re: [Wireshark-users] Using tethereal with multiple files

From: Jeff Morriss <jeff.morriss@xxxxxxxxxxx>
Date: Thu, 20 Jul 2006 16:08:52 +0800

Jee Kay wrote:

I'm trying to use tshark to do on a console what I normally do from
the GUI, as I don't want to have to install X on my servers..

What I want to achieve is what I'd get if in the GUI I tick the 'Use
multiple files', 'Next file every 10 minutes' and 'Ring buffer with 6
files'. At the moment I am using this tethereal command line:

tethereal -i eth1 -w rspan.pcap -b duration:600 -b files:6 -s2000 -a
filesize:5000

Are you using 'tshark' or 'tethereal'? It probably makes a difference (see below).

Couple of questions:

Why do I need -a at all? I don't really want to limit individual file
sizes if I can help it.

I'm not sure about that.

The second problem is the more serious - when the size of the file
hits the -a limit, it suddenly goes crazy and creates thousands of
files (still keeping total number of files to a max of 6), each no
more than a few hundred bytes large. This means the original 5MB file
gets wiped out and the following results are pretty useless.

Does anyone know why that might be happening and how I can stop it?

From that, I'd guess you're using 'tethereal' 0.99.0, in which case you're running into bug 895:

http://bugs.ethereal.com/bugzilla/show_bug.cgi?id=895

I'd suggest getting Wireshark 0.99.2 (recently released).