A client with a complex software problem involving two inter-
communicating Windows/2000 servers has installed ethereal to trace the
link between the servers. The problem is sporadic, occurring only once a
day at most, and the data rate is very high. This makes the option of
a ring of capture files very attractive.
I have been trying to use the tethereal command to start the capture,
since the activation of the tracing has to be combined with other data
gathering, and a one-line command seemed simplest.
However, I have encountered a few problems in trying to specify ring
capture with tethereal.
Background:
The current options to specify a ring of capture files appear to be:
[tethereal] -a filesize:nnnnn -b N:ttttt ..... ,
where N is the desired number of trace file extents in the ring, ttttt
is the maximum time in seconds before a switch is made to the next trace
extent, and nnnnn is the maximum size in bytes allowed in one extent
before a switch is made to the next extent.
1. I'm finding that tethereal will not start with the -b N:ttttt option
specified UNLESS the -a filesize:... option is also specified. An
error message is specified to that effect. That is, it doesn;t seem
possible to specify a ring of files to operate only on timing.
However, that should no matter if the filesize threshold could be
made sufficiently high, since the switching of extents should then
only be driven by the time intervals. However...
2. ...when the filesize is specified too high, something seems to go
wrong with the extent switching.
If the command is issued
tethereal -a filesize:1000000 -b 3:20 -i ...
with a file maximum threshold of 1000000 bytes, Ethereal duly starts
capturing and swaps to a new extent every 20 seconds.
But if instead of 1000000, the value 50000000 or 1000000000 is used
(50 MB or 1 GB), then switching between extents occurs very rapidly
- in under a second. It seems as if in these cases the filesize
threshold is treated as ZERO (or virtually zero) and a switch occurs
as soon as a single frame is captured to the current extent.
In our case we need to collect traces with switching at intervals of
about 2 hours. We estimate the capture volume for such a period as
about 150-300 megabytes. I suspect the filesize limit for proper
ring capture is currently around 10 MB and that's still much too low
for us.
3. I've only just discovered the on-line manual pages (see final remarks)
- these prompt speculation whether a combination like
tethereal -a duration:ttttt -b N
might work - i.e. no filesize, but still using the -a option.
Can anyone say if this works ? The error message rejecting -b by
itself didn't suggest this.
I'm delighted to see that you now have the "manual"-style documentation
directly available on the Web. This is particularly useful for people
using Ethereal in a Windows environment.
I did have a gripe that documentation on tethereal wasn't too good,
especially in the on-line PFD User's Guide (itself rather old). That
guide was not very brief about tethereal, with just 4 lines, on p. 93,
but was actually misleading in suggesting that the same options apply
as for Ethereal (e.g. -k does not apply).
Best regards, Adrian.
Adrian Conrad,
Consultant Network Specialist, IBM UK ITS Technical Support
