Hi,
reading dumpcap documentation https://www.wireshark.org/docs/man-pa... I got interested in the buffer ring filter packet => "packets:value switch to the next file after it contains value packets.". Do you have any examples or hints on how to use it? Can I write pcap according to packets flags or header information?
Thank you in advance
Nope, it's simply a count of the number of packets in the current capture file. In the documentation value is a placeholder for the number of packets.
There are no options to switch to the next file based on what's in the packets as dumpcap doesn't do dissection. Even if using tshark, which does dissect, there are no options to switch to the next file based on packet contents, mainly because it uses the same code as dumpcap.
Thank you for the answer! Do you have any hint on how to manage a pacp according to packet content. My problem is mainly related to the fact that I have a certain amount of data loss because the file stream gets split between two pcap file, so object extraction just delivers a corrupted file.
tshark supports dissection while filtering, at the cost of lower peak capture speeds.
Determining when to split, i.e. all conversations are complete so a new file can be started is a much more difficult thing, you'd need some sort of global conversation tracker and when the other -b options have been met and all conversations are complete then start a new file. I could image if you're capturing on a server your might never get all conversations to the completed state, here would always be at least one in progress.
You could raise an enhancement request for this on the issue tracker.
Asked: 2021-07-01 10:06:32 +0000
Seen: 206 times
Last updated: Jul 01 '21
