I would like to run wireshark with multiple files of 2 GB each, with max. 50 files. When i start wireshark, the windows flashes and with every flash a file is created, up to 50 files. Then wireshark stops. This happens in the 64 bit and 32 bit version. I'm running windows 7 Pro asked 21 Aug '13, 00:58  FMvdBergh |
2 Answers:
I can confirm thar behavior for 10.0.x on Windows XP SP3. It only happens if you select a file size of >= 2 Gigabyte. In that case the file switch takes place after a single frame, thus the "flashing" of the window. This looks like a yet undiscovered bug as it is the same for 1.8.x and 1.9.x. Instruction to reproduce it.
Select: Use multiple files Select: Next file every 2 Gigabyte Select: Stop capture a xx files Please file a bug report at https://bugs.wireshark.org with a link to this question. Regards answered 26 Aug '13, 06:20  Kurt Knochner ♦ Does this hold true for a 64 bit version of Wireshark? (26 Aug '13, 07:28) grahamb ♦ Grahamb, that holds for the 64 bit version. I observed this behavior also in the linux version. (26 Aug '13, 08:57) FMvdBergh No need for a bug report; I committed a fix in r51576 and scheduled it for 1.10.2. In the meantime, you can either download a win32 (or win64) automated release or use the following work-around: Instead of specifying 2 gigabyte(s) for the "Next file every" setting, specify 2000 megabyte(s). (29 Aug '13, 12:23) cmaynard ♦♦ This means that this question can be closed. I'm not sure how to do that. (01 Sep '13, 05:35) FMvdBergh I marked Kurt's answer as the accepted one. This is done by clicking on the check mark next to the answer per the faq. (01 Sep '13, 05:43) cmaynard ♦♦ |
Well, I'm assuming that when you configured your ring buffer for a maximum of 50 files that you didn't also set the "Stop capture after 50 files" too? Those are pretty big files, and I wouldn't be the least bit surprised if you encountered an Out of Memory condition, which may or may not be the cause of the problem here. In any case, I highly recommend using dumpcap instead, which can provide the same ring buffering options as Wireshark provides, but which will obviate the risk of running out of memory. answered 23 Aug '13, 07:35  cmaynard ♦♦ Hi, thanks for the answer. I see that I left out the fact that the files were all fifty filled with only a few bytes. If they were filled to the max with captured data then would not have a problem. The settings were 2 GB per file and to stop after 50 files, no ringbuffer. So, i don't think is a Out of memory problem since there is no data. For now i'm using the next settings and that seems to work: Every 30 minutes a file with 4 ringbuffers. (26 Aug '13, 02:53) FMvdBergh OK I'm jumping in here because I've run into this issue more than once. I set it up to capture 5-20M files and use a ring buffer of say 200 files. It will capture 5-20 files and then crash. It appears to be that the smaller I set up the file sizes the larger number of files it creates before crashing. So now I see this dumpcap and think ok this sounds like the direction I need to go. So now I'm off to research this. This appears to be tshark which I've never run.... (11 Sep '13, 18:25) ChiefWFB |
Isn't that what you want?
What do you call files ?
For Kurt,
yes, that is what i want, but i want them also to be filled with data.
For Afrim,
Names like DVL, or DVL-1, or DVL_captures_data, names like that. Nothing complecited. I've tried them all.