Ask Your Question
0

tshark ring-buffer duration vs interval

asked 2019-08-08 07:41:13 +0000

Ross Jacobs gravatar image

I am looking at the documentation for tshark -b, and it's unclear to me what the difference is between "interval" and "duration". Both are in seconds and at the end of NUM seconds, the file rotates.

For example, what is the difference between these two commands?

tshark -b files:5 -b duration:10 -w file
tshark -b files:5 -b interval:10 -w file

In both cases, I see the filename endings change and increase by 10 about every 10s that look something like this:

bash:/tmp/duration-test$ ls -1
file_00003_20190808003713
file_00004_20190808003723
file_00005_20190808003733
file_00006_20190808003743
file_00007_20190808003753
edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
2

answered 2019-08-08 10:38:20 +0000

grahamb gravatar image

From the man page:

duration:value switch to the next file after value seconds have elapsed, even if the current file is not completely filled up. Floating point values (e.g. 0.5) are allowed.

interval:value switch to the next file when the time is an exact multiple of value seconds

Using a value of 8 seconds I got the following output with duration:

_00001_20190808113539
_00002_20190808113547
_00003_20190808113555
_00004_20190808113604
_00005_20190808113612
_00006_20190808113621

and for interval:

_00001_20190808112634
_00002_20190808112640
_00003_20190808112648
_00004_20190808112656
_00005_20190808112704
_00006_20190808112712

You can see that duration is (approximately) equally spaced after the initial start time whereas the interval starts the second file at the next multiple of 8 (not sure where it starts from, maybe the current minute). Given a larger interval, e.g. 3600, I suspect that after the first file, all others will start on an exact hour boundary.

edit flag offensive delete link more

Comments

Makes sense to me. Thanks for the quick response.

Ross Jacobs gravatar imageRoss Jacobs ( 2019-08-08 15:20:36 +0000 )edit

The duration option has been available for a long time, but I was always more interested in clean time intervals instead so I added the interval option. Whenever "<epoch-seconds> DIV <interval>" rolls over to the next value, a new file is created. So for 8 second intervals, it is not on a nice minute boundary. But for intevals of 5, 6 or 10 seconds it makes more sense :-)

SYN-bit gravatar imageSYN-bit ( 2019-08-13 05:15:18 +0000 )edit

Hi Sake,

If this is your baby, can you add text to the manpage and --help? The example that Graham provided with numbers is clear, and right now, existing documentation is not.

Thanks for making this feature, Ross

Ross Jacobs gravatar imageRoss Jacobs ( 2019-08-13 07:05:05 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-08-08 07:41:13 +0000

Seen: 752 times

Last updated: Aug 08 '19