Ask Your Question
0

Tshark does not save files in a ring

asked 2024-03-15 13:10:22 +0000

kjeld-flarup gravatar image

I'm trying to capture files in a ring buffer, but it seems like tshark ignores files:10 What am I doing wrong?

"C:\Program Files\Wireshark\tshark" -i "Ethernet 4" -b filesize:100 -b files:10 -w capture.pcap
Capturing on 'Ethernet 4'
 ** (tshark:5936) 17:54:33.111802 [Main MESSAGE] -- Capture started.
 ** (tshark:5936) 17:54:33.120450 [Main MESSAGE] -- File: "capture_00001_20240315175433.pcap"
783  ** (tshark:5936) 17:54:47.823130 [Main MESSAGE] -- File: "capture_00002_20240315175447.pcap"
1560  ** (tshark:5936) 17:55:02.201369 [Main MESSAGE] -- File: "capture_00003_20240315175502.pcap"
2340  ** (tshark:5936) 17:55:16.886229 [Main MESSAGE] -- File: "capture_00004_20240315175516.pcap"
3123  ** (tshark:5936) 17:55:31.022563 [Main MESSAGE] -- File: "capture_00005_20240315175531.pcap"
3896  ** (tshark:5936) 17:55:45.261889 [Main MESSAGE] -- File: "capture_00006_20240315175545.pcap"
4677  ** (tshark:5936) 17:55:59.911016 [Main MESSAGE] -- File: "capture_00007_20240315175559.pcap"
5454  ** (tshark:5936) 17:56:14.487242 [Main MESSAGE] -- File: "capture_00008_20240315175614.pcap"
6235  ** (tshark:5936) 17:56:28.918045 [Main MESSAGE] -- File: "capture_00009_20240315175628.pcap"
7012  ** (tshark:5936) 17:56:43.249923 [Main MESSAGE] -- File: "capture_00010_20240315175643.pcap"
7796  ** (tshark:5936) 17:56:57.954122 [Main MESSAGE] -- File: "capture_00011_20240315175657.pcap"
8568  ** (tshark:5936) 17:57:12.413741 [Main MESSAGE] -- File: "capture_00012_20240315175712.pcap"
edit retag flag offensive close merge delete

Comments

What version of tshark is running? (Output of tshark -v)

Did you look on disk to see if more than 10 files exist?
The filenames will continue to increment:
03/15/2024 09:39 AM 6,284 capture_00043_20240315093900.pcap

Chuckc gravatar imageChuckc ( 2024-03-15 14:41:24 +0000 )edit

Correct, it deletes the older files.

kjeld-flarup gravatar imagekjeld-flarup ( 2024-03-18 09:21:59 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2024-03-15 16:38:00 +0000

SYN-bit gravatar image

That is the output of the file creation, tshark does not log file deletion to stdout, so most probably if you look on disk, you will see files capture_00003* till capture_00012*

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2024-03-15 13:10:22 +0000

Seen: 139 times

Last updated: Mar 15