I use dumpcap (vsersion 3.6.2) with -b duration and -b filesize option.
Sometimes, i have twin pcap
DATA_0_00002_20251022060511.pcap DATA_0_00002_20251022060512.pcap
and the capinfos command returns exactly the same information. How can this happen ?
That sounds like there are two processes running, generating the files. Are you doing this in Linux with nohup dumpcap .... & perhaps? What does ps aux | grep dumpcap show?
Ah, and you want the packets of all interfaces to be written in the same file? Then you are now relying on all 200 independent dumpcap process to come up with the same name, which it mostly does based on your other command line options. But as you notice, there could be a corner case where they do not.
Why not include all 200 interfaces in the same dumpcap process to make sure it writes packets of those 200 interfaces to the same file?
No I have one pcap set by interface. My dumpcap command (for each interface) looks like this :
/usr/bin/dumpcap -nni vlan.1 -w /data/output/captures/VLAN1/VLAN1_0.pcap -g -b duration:60 -a filesize:2048 -f "(src 189.1.1.1 and port 4000) or (src 189.1.1.2 and port 5000)".
For reasons of volumetrics and post-processing, I cannot put everything in the same capture.
Asked: 2026-05-21 08:17:20 +0000
Seen: 91 times
Last updated: May 21
Can you log the file names to see if there is a pattern?
Dumpcap: print closed ring-buffer file names
My guess is that there is a small window of opportunity that 2 distinct tasks get started to do the same job as you have 2 distinct criteria. There is propably a window during which the first rotation is still in progress that the second one gets triggered doing pretty much the same job.
This is pretty much a case of "shit happens".