dumpcap -w option with -b option does not seem to work
* UPDATED TO MERGE THE DUPLICATE QUESTION INFO *
Running dumpcap on Ubuntu 18.04 LTS 64-bit. I can run Wireshark in the GUI just fine, can capture packets, etc. Please note that I can run dumpcap, outputting to a temporary file. That works. My user is in the group 'wireshark' and yes I chose those pcap installation options to have it work that way. So, from a basic permissions point of view, dumpcap does run, does capture packets.
If there is some reason anyone knows why "sudo command" is not the same as "running as root" then please tell me.
My problem is not having ANY success getting the output options to work properly.
They seem very broken.
First of all, just using the -w filename option does not work unless I first create the file. That does not make any sense to have it work that way!
sudo dumpcap -i enp0s3 -w `pwd`/myfile.pcapng -q
Capturing on 'enp0s3'
dumpcap: The file to which the capture would be saved ("/home/jgustavson/myfile.pcapng") could not be opened: Permission denied.
Notice that the file in fact does not exist but the program says "Permission denied" as the error. I am in my home directory at the time. If I create the file via echo foo >myfile.pcapng and then try the dumpcap command, it works. Very unexpected!
sudo dumpcap -i enp0s3 -w `pwd`/myfile.pcapng -q
Capturing on 'enp0s3'
File: /home/jgustavson/myfile.pcapng
Packets captured: 141
[ctrl-C here]
Packets received/dropped on interface 'enp0s3': 141/0 (pcap:0/dumpcap:0/flushed:0/ps_ifdrop:0) (100.0%)
Anyone understand why dumpcap seems to be incapable of creating a file if I tell it the name to use with the -w option? If I leave the -w option out, it will create and write to a temporary file just fine.
What I really want to do is set up a ring buffer option, so dumpcap will start a new file every nnn seconds:
sudo dumpcap -i enp0s3 -w `pwd`/myfile.pcapng -b interval:60 -q
Capturing on 'enp0s3'
dumpcap: The file to which the capture would be saved ("/home/jgustavson/myfile.pcapng") could not be opened: No such file or directory.
... but as you can see, that fails too. (yes, I had deleted myfile.pcapng before running the command, to start "clean") If I leave out the -w option it complains "dumpcap: Ring buffer requested, but capture isn't being saved to a permanent file."
Now I want to run dumpcap, using a ring buffer option to start a new file every 60 seconds. I use the command line:
sudo dumpcap -i enp0s3 -w `pwd`/dump.pcapng -b interval:60 -q
No matter what I do, so long as I have the -b option on the command line, I get grousing:
Capturing on 'enp0s3'
dumpcap: The file to which the capture would be saved ("/home/jgustavson/dump.pcapng") could not be opened:
No such file or directory.
This seems like it should ...