# tshark ring-buffer duration vs interval

I am looking at the documentation for tshark -b, and it's unclear to me what the difference is between "interval" and "duration". Both are in seconds and at the end of NUM seconds, the file rotates.

For example, what is the difference between these two commands?

tshark -b files:5 -b duration:10 -w file
tshark -b files:5 -b interval:10 -w file


In both cases, I see the filename endings change and increase by 10 about every 10s that look something like this:

bash:/tmp/duration-test\$ ls -1
file_00003_20190808003713
file_00004_20190808003723
file_00005_20190808003733
file_00006_20190808003743
file_00007_20190808003753

edit retag close merge delete

Sort by » oldest newest most voted

From the man page:

duration:value switch to the next file after value seconds have elapsed, even if the current file is not completely filled up. Floating point values (e.g. 0.5) are allowed.

interval:value switch to the next file when the time is an exact multiple of value seconds

Using a value of 8 seconds I got the following output with duration:

_00001_20190808113539
_00002_20190808113547
_00003_20190808113555
_00004_20190808113604
_00005_20190808113612
_00006_20190808113621


and for interval:

_00001_20190808112634
_00002_20190808112640
_00003_20190808112648
_00004_20190808112656
_00005_20190808112704
_00006_20190808112712


You can see that duration is (approximately) equally spaced after the initial start time whereas the interval starts the second file at the next multiple of 8 (not sure where it starts from, maybe the current minute). Given a larger interval, e.g. 3600, I suspect that after the first file, all others will start on an exact hour boundary.

more

Makes sense to me. Thanks for the quick response.

( 2019-08-08 15:20:36 +0000 )edit

The duration option has been available for a long time, but I was always more interested in clean time intervals instead so I added the interval option. Whenever "<epoch-seconds> DIV <interval>" rolls over to the next value, a new file is created. So for 8 second intervals, it is not on a nice minute boundary. But for intevals of 5, 6 or 10 seconds it makes more sense :-)

( 2019-08-13 05:15:18 +0000 )edit

Hi Sake,

If this is your baby, can you add text to the manpage and --help? The example that Graham provided with numbers is clear, and right now, existing documentation is not.

Thanks for making this feature, Ross

( 2019-08-13 07:05:05 +0000 )edit