Wireshark-users: Re: [Wireshark-users] dumpcap -c caveat [Re: Can I get Wireshark to capture cons
From: kevin creason <ckevinj@xxxxxxxxx>
Date: Thu, 26 Aug 2010 07:00:29 -0500
This thread was very helpful-- but it wasn't working for me. It only took the first -b flag, I had to make the duration/filesize option a "-a" flag and only the "files:#" on the -b flag.

I went with the filesize rotation rather than a duration because the files from the duration of 120 seconds ranged from a few mb to 500mb on my small business network. A 500mb file in Wireshark is not easy to work with!

I want to have several hours worth to go back and look at, so we'll see how this will work. Here's my command:

dumpcap -a filesize:6000 -b files:150 -i eth3 -w /var/dumpcap/eth3


-Kevin
/*“ I am looking for a lot of men who have an infinite capacity to not know what can't be done. ” -- Henry Ford  */



On Tue, Aug 24, 2010 at 7:42 PM, Gregorio Tomas Focaccio <public.focaccio@xxxxxxxxx> wrote:
Be aware that the -c argument appears to be absolute and overrides any of the ring buffer arguments.  My command: dumpcap -b duration:1800 files:5 -i 4 -c 5000 -w 915PBLbr0 stopped at 5000 packets and did not start writing to the next file.  My new, and hopefully final command for capturing all packet seen by the 4th interface of dumpcap -D list to a ring-buffer of 5 files with a capture duration of 30 minutes each is:  dumpcap -b duration:1800 files:5 -i 4 -w 915PBLbr0
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe