Wireshark-users: Re: [Wireshark-users] How can get more than 1024 files with tsharkringbuffer?
From: "Andrew Cuthbertson" <[email protected]>
Date: Thu, 5 Jun 2008 22:32:30 +0200
Many thanks for the useful reply. I shall try out dumpcap and the latest
tshark for more than 1024 files

I have the latter case. Capture as much data as the hard disk would hold in
a ringbuffer and then save off relevant time period when users call to say
the intermittant problem has occurred. the 1024 files at 100MB only gave me
about 3 hours of data and users don't often report the issues so quick.

Thanks for the ringbuffer syntax check. Looks like I mistyped the original
for the email.

For remote sniffers I use 0.99.5 as there seems to be some issues loading
later version traces into some analysis code that we have written to analyse
lots of trace files at once. Maybe this version has a 1024 ring buffer

Also for application analysis we sometimes load a trace into compuware
Applicationexpert and that also has some issues loading some more recent
wireshark version traces.



-----Original Message-----
From: [email protected]
[mailto:[email protected]]On Behalf Of Sake Blok
Sent: 04 June 2008 23:56
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] How can get more than 1024 files with

On Wed, Jun 04, 2008 at 10:05:23AM +0200, Andrew Cuthbertson wrote:
> I'm trying to find some intermittant problems and need to capture packets
> over a long period of time on a busy segment

Do you need to capture "until" the problem occurs and then stop
capturing? Or do you need to capture for a long time and then analyse
the data to see if the problem was there? In the first case, you need
large enough capture buffer to store as much data as is transferred
in the delay between the time the problem is occuring and the time
the problem is detected and the capture file is stopped. You can use
the -b files:xxx option. In the latter case, you want to omit this
option and just use the -b filesize:xxx option (used in both scenarios).

> I currently have in a .bat file. call "c:\tshark.exe"  -a 100000 -b
1024 -w
> "trace_Rgbuf0.enc" -i 1

The proper syntax would be:

tshark -b filesize:100000 -b files:1024 -w <filename>

> This creates a ring buffer of 1024 100MB files. If I increase the -b value
> higher than 1024 I still only get 1024. Is there a way to have a ring
> of more files? I'm reluctant to have bigger than 100MB size files as they
> take so long to process and the current 100GB of captured data is only 3
> hours worth.

I just tested it with:

tshark -i 3 -w test.cap -b filesize:1 -b files:2048

and that gives me 2048 files, just as requested.

What version of tshark are you using?

BTW  You'd better run 'dumpcap' instead of 'tshark' for this purpose.
tshark will keep sate information and thus hog up your memory. Dumpcap
just dumps the captured packets to disk. It's therefor also faster,
which you need in a busy segment to not get packet discards on your
capturing system.

Wireshark-users mailing list
[email protected]