Wireshark · Wireshark-users: Re: [Wireshark-users] tshark or dumpcap ring buffer limitations

[Jaap Keuter <jaap.keuter@xxxxxxxxx>]

Hi,

Have a look at the developer guide[1] for more information on building 
Wireshark. Crosscompiling is not really an option.

Thanks,
Jaap

[1] http://www.wireshark.org/docs/wsdg_html_chunked/


On 05/19/2010 09:35 PM, Joseph Laibach wrote:
> Jaap,
>          I work for a stock trading firm. We are looking to have a system in place to capture the entire days worth of market data. We have a line that comes in and brings multiple feeds in to our servers. We would like to be able to let this capture run and then over-write itself the next day. The 8mb files are a nice size to work with and do not due much damage when moved about across wan links. So in order to get about a day's worth of traffic at 8mb clips I need a ring buffer of about 25000 files. The traffic adds up to about 225 to 235gb a day depending on market activity. The 8mb files also work very nicely in our home grown Sequence number search web app.
>
> Can I compile Wireshark on linux to be used on windows or do I need to compile on windows?
>
> Thanks
>
> Joe
>
> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Jaap Keuter
> Sent: Wednesday, May 19, 2010 3:21 PM
> To: Community support list for Wireshark
> Subject: Re: [Wireshark-users] tshark or dumpcap ring buffer limitations
>
> Hi,
>
> But do you really want that many files in you file system?
>
> Thanks,
> Jaap
>
> On 05/19/2010 08:48 PM, Joseph Laibach wrote:
> > Jaap,
> >           Sounds great, but I have no clue about compiling. Looks like it's time for some more reading and experimenting.
> >
> > Thanks
> >
> > Joe
> >
> > -----Original Message-----
> > From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Jaap Keuter
> > Sent: Wednesday, May 19, 2010 2:35 PM
> > To: Community support list for Wireshark
> > Subject: Re: [Wireshark-users] tshark or dumpcap ring buffer limitations
> >
> > Hi,
> >
> > It's hardcoded, so you can get the source, increase the limit, recompile and go.
> >
> > Thanks,
> > Jaap
> >
> > On 05/19/2010 08:17 PM, Joseph Laibach wrote:
> > > Is there a way to remove that limit or override it?
> > >
> > > Thanks
> > >
> > > Joe
> > >
> > > -----Original Message-----
> > > From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Jaap Keuter
> > > Sent: Wednesday, May 19, 2010 2:07 PM
> > > To: Community support list for Wireshark
> > > Subject: Re: [Wireshark-users] tshark or dumpcap ring buffer limitations
> > >
> > > On 05/19/2010 07:38 PM, Joseph Laibach wrote:
> > > > All,
> > > >
> > > > I'm running a continuous capture of data. I'm trying to use a ring
> > > > buffer of 25000 files with an 8mb file size. The problem is that the
> > > > ring buffer starts overwriting after 10000 files. I've tried it with
> > > > dumpcap and tshark. The command is using the -b files:25000 -b
> > > > filesize:8192. Is there a limitation to the size of the ring buffer for
> > > > dumpcap and/or tshark?
> > > >
> > > > Thanks
> > > >
> > > > Joe
> > > >
> > > > - Wireshark V1.2.8
> > > >
> > > > - Windows 2003 Server R2 64bit
> > > >
> > > > - WinPcap v4.1.1
> > >
> > > Hi,
> > >
> > > That's a fixed limit:
> > >
> > > jaap@host:~/src/wireshark/trunk$ grep RINGBUFFER_MAX_NUM_FILES *.h
> > > ringbuffer.h:#define RINGBUFFER_MAX_NUM_FILES 10000
> > >
> > > Thanks,
> > > Jaap