Wireshark-users: Re: [Wireshark-users] How can get more than 1024 files with tshark ringbuffer?
From: Sake Blok <[email protected]>
Date: Wed, 4 Jun 2008 23:55:40 +0200
On Wed, Jun 04, 2008 at 10:05:23AM +0200, Andrew Cuthbertson wrote:
> 
> I'm trying to find some intermittant problems and need to capture packets
> over a long period of time on a busy segment

Do you need to capture "until" the problem occurs and then stop
capturing? Or do you need to capture for a long time and then analyse
the data to see if the problem was there? In the first case, you need 
large enough capture buffer to store as much data as is transferred 
in the delay between the time the problem is occuring and the time
the problem is detected and the capture file is stopped. You can use
the -b files:xxx option. In the latter case, you want to omit this 
option and just use the -b filesize:xxx option (used in both scenarios).


> I currently have in a .bat file. call "c:\tshark.exe"  -a 100000 -b 1024 -w
> "trace_Rgbuf0.enc" -i 1

The proper syntax would be:

tshark -b filesize:100000 -b files:1024 -w <filename>

> This creates a ring buffer of 1024 100MB files. If I increase the -b value
> higher than 1024 I still only get 1024. Is there a way to have a ring buffer
> of more files? I'm reluctant to have bigger than 100MB size files as they
> take so long to process and the current 100GB of captured data is only 3
> hours worth.

I just tested it with:

tshark -i 3 -w test.cap -b filesize:1 -b files:2048

and that gives me 2048 files, just as requested.

What version of tshark are you using?

BTW  You'd better run 'dumpcap' instead of 'tshark' for this purpose.
tshark will keep sate information and thus hog up your memory. Dumpcap
just dumps the captured packets to disk. It's therefor also faster,
which you need in a busy segment to not get packet discards on your 
capturing system.


Cheers,
    Sake