Why does "tshark -b packets:value" not work?

asked 2021-07-04 02:29:04 +0000

7ACE gravatar image


    On Windows 10, using tshark, why does "tshark -b packets:value" not work?

    "tshark -b packets:1000 -w test.pcapng"  or  "tshark -b packets:1000 -b files:3 -w test.pcapng"
    tshark: Multiple capture files requested, but no maximum capture file size, duration or interval was specified.

    tshark version
    TShark (Wireshark) 3.4.6 (v3.4.6-0 - g6357ac1405b8))

Regards, 7ACE

I can't answer your question why it's not possible to do a multiple file capture based on the count of packets only. From my understanding this should work as expected. Maybe a bug?

But as the error message says: just add a maximum file size, duration or interval to your command and it will work. Select a high value so that the packet counter will take in place first.

tshark -b duration:100000 -b packets:100 -w test.pcap
JasMan gravatar imageJasMan ( 2021-07-04 10:33:56 +0000 )edit

Thank you for the answer!

7ACE gravatar image7ACE ( 2021-07-05 00:20:12 +0000 )edit

answered 2021-07-04 12:45:45 +0000

André gravatar image

This looks like a bug in tshark (global_capture_opts.has_file_packets check missing at line 1775).

You can report this at the Wireshark issues list .

When capturing to file just use dumpcap instead of thshark, with same command line options. All tshark does here is calling dumpcap to do the capturing.

bug fix merged into master.

As mentioned "-b packets:value" already works with current version of dumpcap.

André gravatar imageAndré ( 2021-07-04 21:23:49 +0000 )edit

Thanks guys !

7ACE gravatar image7ACE ( 2021-07-05 00:21:27 +0000 )edit

