 | 1 | initial version |
tshark is calling dumpcap to do the capture and maintain the ring buffer.
(See diagram in WSDG: Chapter 7. How Wireshark Works.)
I think you're getting a race condition where dumpcap is wrapping the ring buffer before tshark is done processing a file. Are you catching stderr when starting tshark?
You might try more smaller files: -b filesize:100 -b files:20.
250714_ring_buffer$ "$WS_BIN/tshark.exe" -i 4 -b filesize:10 -b files:2 -w foo -V > tshark.out 2>tshark.err
250714_ring_buffer$ cat tshark.err
Capturing on 'Intel(R) Ethernet Connection I218-LM'
tshark: The file "foo_00005_20250714210249" doesn't exist.
121 packets captured
250714_ring_buffer$ tail -10 ./tshark.out
Frame Type: PING (0x0000000000000001)
CRYPTO
Frame Type: CRYPTO (0x0000000000000006)
Offset: 45
Length: 5
Crypto Data
PADDING Length: 3
Frame Type: PADDING (0x0000000000000000)
[Padding Length: 3]