Wireshark · Ethereal-users: Re: [Ethereal-users] Saving capture data sequentially to multiple files

Ethereal-users: Re: [Ethereal-users] Saving capture data sequentially to multiple files

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>

Date: Wed, 23 Jan 2002 23:01:09 -0800

On Wed, Jan 23, 2002 at 03:06:35PM -0800, Guy Harris wrote:
> > does Ethereal have the ability to save trace data continuously to hard disk
> > into sequentially / multiple trace files?
> 
> Continuously, no.  It does have the ability to save to multiple files,
> but only as part of a "ring buffer", with a maximum of a small number of
> files - it wraps around to overwrite the first file.
> 
> > If not:
> > 
> > Do you plan to implement this feature?

	...

> There are no formal plans to implement it, however.  (There are
> relatively few formal plans to do *anything* in Ethereal - features
> are added as people contribute code to implement them.)

Note that tcpdump 3.7.1 (recently released) implements it:

	% man tcpdump

		...

	SYNOPSIS
	       tcpdump [ -adeflnNOpqRStuvxX ] [ -c count ]
	               [ -C file_size ] [ -F file ]
	               [ -i interface ] [ -m module ] [ -r file ]
	               [ -s snaplen ] [ -T type ] [ -w file ]
	               [ -E algo:secret ] [ expression ]

		...

	       -C     Before writing a raw packet to  a  savefile,  check
	              whether the file is currently larger than file_size
	              and, if so, close the current savefile and  open  a
	              new  one.   Savefiles after the first savefile will
	              have the name specified with the -w  flag,  with  a
	              number  after  it,  starting  at  2  and continuing
	              upward.  The units of  file_size  are  millions  of
	              bytes (1,000,000 bytes, not 1,048,576 bytes).

Note that it (and Ethereal/Tethereal) don't check *before* writing a
packet to a file whether doing so will make the file grow beyond the
maximum file size - instead, they check whether it's *already* beyond
the specified file size, so the file might be one packet larger than the
specified file size.  (I.e., don't use the maximum file size supported
by the OS and by the I/O library, e.g. 2^31-1, as the specified file
size.)

If you just want to capture packets to a file continuously, and then
look at them later, tcpdump should be sufficient.  Remember that the
default "snapshot length" for packets is a small 68 bytes, so if you
want to capture more than 68 bytes worth of packet data, use a larger
snapshot length with the "-s" flag (or use 0 as the snapshot length,
which means "make it really big so we capture all the packet).

References:
- [Ethereal-users] Saving capture data sequentially to multiple files
  - From: FRWBonn
- Re: [Ethereal-users] Saving capture data sequentially to multiple files
  - From: Guy Harris

Prev by Date: Re: [Ethereal-users] Saving capture data sequentially to multiple files
Next by Date: RE: [Ethereal-users] Resolve MAC addresses
Previous by thread: Re: [Ethereal-users] Saving capture data sequentially to multiple files
Next by thread: [Ethereal-users] Ethereal 0.9.0 and UCD-SNMP 4.2.1 Bug Report.
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$