Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 5547] New: TSHARK ring buffering stopped

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Tue, 4 Jan 2011 12:14:52 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5547

           Summary: TSHARK ring buffering stopped
           Product: Wireshark
           Version: 1.2.9
          Platform: x86-64
        OS/Version: Windows Server 2003
            Status: NEW
          Severity: Normal
          Priority: Low
         Component: TShark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: nikduvall@xxxxxxxxxxx


Created an attachment (id=5701)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=5701)
ZIP of Supporting images

Build Information:
TShark 1.2.9 (SVN Rev 33171)

Copyright 1998-2010 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.22.4, with WinPcap (version unknown), with libz
1.2.3, without POSIX capabilities, without libpcre, without SMI, with c-ares
1.7.0, with Lua 5.1, with GnuTLS 2.8.5, with Gcrypt 1.4.5, without Kerberos,
with GeoIP.

Running on Windows Server 2003 X64 Edition Service Pack 2, build 3790, with
WinPcap version 4.1.1 (packet.dll version 4.1.0.1753), based on libpcap version
1.0 branch 1_0_rel0b (20091008), GnuTLS 2.8.5, Gcrypt 1.4.5.

Built using Microsoft Visual C++ 9.0 build 30729
--
When running tshark as a scheduled task as SYSTEM, ring buffering eventually
stopped working.  Capturing continued, but continued to write to the last file.

Here is the tshark command line:

"C:\Program Files\Wireshark\tshark.exe" -B 64 -n -i 4 -b duration:60 -b
files:480 -f "not (tcp port 3389 or tcp port 445 or tcp port 139)" -w
D:\Wireshark_Captures\PCSGSQLCS02B.pcap

Using Process Explorer, I see it spawned dumpcap with the following command
line:

"C:\Program Files\Wireshark\dumpcap" -i
\Device\NPF_{53708B57-5FE5-47BD-8DD4-E9C336D696E7} -b duration:60 -b files:480
-Z 4828 -B 64 -f "not (tcp port 3389 or tcp port 445 or tcp port 139)" -w
D:\Wireshark_Captures\PCSGSQLCS02B.pcap

TSHARK has been running since 8:07:36 PM on 12/6/2010.  Timestamp of the file
preceding the currently growing file is 9:16 PM on 1/2/2011.

This looks to me like we have reached some limitation on the number of files it
will cycle through...

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube