Ask Your Question
0

Ring buffer "file doesn't exist" error

asked 2018-06-25 22:20:14 +0000

SteveC gravatar image

updated 2018-06-25 22:22:30 +0000

Hello,

I am getting an error whenever I try to run a capture using a ring buffer.

Steps: 1. From the Capture window: select the interface 2. In the Output tab, provide a filename and directory in the "File:" box (i.e. C:/capture.pcapng) 3. Select "Create a new file automatically after..." and select the first box. Choose a small file size (100 kB for example) 4. Select "Use a ring buffer with", and choose a number (3 or 4 for example) 5. Start the filter

After a few minutes, I will receive an error that says "The file "capture####.pcapng does not exist".

When I check the directory, there will be a set of linked files, with a count of one more than the number I specified (if I chose a ring buffer of 3, there will be four files), but the last one is incomplete.

Does anyone else get this error? Any ideas?

edit retag flag offensive close merge delete

Comments

Which Wireshark and OS version? This works for me on Windows 10 with 2.6.1, and using either forward or backward path separators in the output file name.

grahamb gravatar imagegrahamb ( 2018-06-25 22:58:34 +0000 )edit

Thank you for the feedback. I am using 2.6.1 on Windows 7. I will keep playing with it to see if I can find anything else that might be unique.

SteveC gravatar imageSteveC ( 2018-06-25 23:20:18 +0000 )edit

It's possible that AV software might be interfering, you could try temporarily disabling that. You might also try an output path that is in a directory and not in the root of the c: drive.

grahamb gravatar imagegrahamb ( 2018-06-25 23:32:07 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-06-27 15:45:23 +0000

JeffMorriss gravatar image

This is a long-known problem/limitation with the ring buffer implementation.

Fundamentally the problem is that the ring buffer files are rotating/switching faster than Wireshark is reading them.

To avoid the problem you need to slow down the packet rate (e.g., with capture filters) or speed up Wireshark (making it do less work). Just using bigger files may help too.

edit flag offensive delete link more

Comments

This is very helpful. Thank you for clarifying :)

SteveC gravatar imageSteveC ( 2018-06-27 16:21:26 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

Stats

Asked: 2018-06-25 22:20:14 +0000

Seen: 83 times

Last updated: Jun 27