Ask Your Question
0

Ring Buffer Capture Keeps Stopping

asked 2019-10-01 00:14:44 +0000

feenyman99 gravatar image

Hi... I'm running v3.0.0, and I am trying to create a "continuous" capture via a ring buffer. I configure it to create 20MB files, with a ring buffer of 200 files. This will end up consuming 2GB of disk storage, which is fine since the disk has over a TB free.

BUT... After the capture had filled only two 20MB files, and had begun filling the third, it simply stopped. I'm sorry I don't have the text of the error message displayed, and it would take some time to reproduce the condition in order to re-display it, but it was something simply to the effect of "Capturing Stopped".

Am I running out of memory? Should I be using smaller files, and a larger number of them?

Thx for any suggestions / explanations.

feenyman99

edit retag flag offensive close merge delete

Comments

There are a number of reasons why a capture can stop, so getting the correct error message would be helpful.

Note that for continuous captures, using dumpcap is recommended as it doesn't keep state which consumes memory. Dumpcap doesn't support display filters, so if you require those then use tshark.

grahamb gravatar imagegrahamb ( 2019-10-01 07:38:01 +0000 )edit

Sorry for the late reply...

I have followed your dumpcap suggestion, and I got MUCH further than last time - I got 23 each 20-MB files this time - before the capture stopped. The abridged dumpcap output, including the "capture has stopped" message, is shown below.

In addition to the capture having stopped, apparently about 4% of the packets were getting dropped.

Any suggestions on what may be the problem, and/or steps to take to improve things, will be graciously accepted :-).

Thx, feenyman99

C:\Program Files\Wireshark>dumpcap -b files:100 -b filesize:20000 -i 7 -w C:\Users\MF\Documents\Michael\Wireshark\Ring_Buffer_with_dumpcap_experimenting\dumpcap_experiment_100_files_20MB_each.pcap
Capturing on 'Ethernet'
File: C:\Users\MF\Documents\Michael\Wireshark\Ring_Buffer_with_dumpcap_experimenting\dumpcap_experiment_100_files_20MB_each_00001_20191005200930.pcap
Packets: 16306 File: C:\Users\MF\Documents\Michael\Wireshark\Ring_Buffer_with_dumpcap_experimenting\dumpcap_experiment_100_files_20MB_each_00002_20191005201032.pcap
...
Packets: 361856 File: C:\Users\MF\Documents\Michael\Wireshark\Ring_Buffer_with_dumpcap_experimenting\dumpcap_experiment_100_files_20MB_each_00023_20191005212645.pcap

Packets: 380424 dumpcap: The network adapter on which the ...
(more)
feenyman99 gravatar imagefeenyman99 ( 2019-10-06 02:45:25 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-10-06 06:58:07 +0000

SYN-bit gravatar image

In your dumpcap output I see: The network adapter on which the capture was being done is no longer running;. This means somewhere in the middle of your capture, your network interface was removed from your system. If the interface is no longer available, the capture stops.

What kind of network interface are you using and do you have any idea on why it might disappear from your system (not just a link down)?

edit flag offensive delete link more

Comments

Has a device gone to sleep (power saving?).

In addition seeing packet drops implies the capture host isn't able to capture at full line rate, this might be simply due to the very high line rate or the capture host cpu\io\disk not being up to the task or sleeping.

grahamb gravatar imagegrahamb ( 2019-10-06 10:14:00 +0000 )edit

In answer to SYN-bit's questions: - My network interface: Realtek PCIe GBE Family Controller - No, I have no idea why my NIC would disappear.

In answer to grahamb's question: - My laptop was plugged into power the entire time. I have no evidence that it went to sleep.

HOWEVER... Looking in the Event Viewer (which is NOT my forte' at all), I see the following, very close in time to the creation of the last (23rd) file:

DeviceSetupManager - Event ID 131 - "Metadata staging failed, result=0x80070057 for container '{0D9CCEA3-6150-11E9-899D-40F02F5C5FF7}' "

Googling with this information, I find mostly arguments among the participants of various forums [fora??] :-(. Set my head to spinning.

Unless someone has a better suggestion, I will make sure that my Windows 10 laptop has all the latest updates, and find an appropriate Realtek forum in hopes of some enlightenment.

Keep the suggestions coming - I'll try almost anything (including ...(more)

feenyman99 gravatar imagefeenyman99 ( 2019-10-06 13:20:17 +0000 )edit

Can you add output of dumpcap -v and tshark -v ?

bubbasnmp gravatar imagebubbasnmp ( 2019-10-06 16:49:17 +0000 )edit

Your wish... My command :-)

C:\Program Files\Wireshark>dumpcap -v
Dumpcap (Wireshark) 3.0.0 (v3.0.0-0-g937e33de)

Copyright 1998-2019 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.52.2, with zlib 1.2.11, with WinPcap SDK (WpdPack)
4.1.2.

Running on 64-bit Windows 10 (1809), build 17763, with AMD A6-5350M APU with
Radeon(tm) HD Graphics    (with SSE4.2), with 15512 MB of physical memory, with
locale C, without Npcap or WinPcap, binary plugins supported (0 loaded).

Built using Microsoft Visual Studio 2017 (VC++ 14.12, build 25835).


C:\Program Files\Wireshark>tshark -v
TShark (Wireshark) 3.0.0 (v3.0.0-0-g937e33de)

Copyright 1998-2019 ...
(more)
feenyman99 gravatar imagefeenyman99 ( 2019-10-07 14:41:43 +0000 )edit

You're not using the latest version of either the Wireshark suite (currently 3.0.5) or npcap (currently 0.9983). Should be simple to upgrade to at least eliminate any issues that might have been fixed.

grahamb gravatar imagegrahamb ( 2019-10-07 14:53:37 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-10-01 00:14:44 +0000

Seen: 45 times

Last updated: Oct 06