Ask Your Question
0

What does ring buffer do if "create new" options aren't specified?

asked 2018-08-02 19:21:32 +0000

Matt Davis gravatar image

updated 2018-08-02 20:13:44 +0000

In the 2.6.2 version of Wireshark (and I think recent versions, too), the Output configuration includes two check boxes, one for "Create a new file automatically after..." and one for "Use ring buffer with X files."

If I enable the "ring buffer" option with 3 files, for example, but never check the "Create a new file" option, is the ring buffer actually used? I tried running a capture for a few minutes, but never saw a new file created. Is there default criteria that the "ring buffer" option uses to spread the data across multiple files?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-08-03 14:50:02 +0000

Matt Davis gravatar image

I ran a packet capture overnight to test. There is a single pcapng file with a size of 2.9GB, and it has over 2.7 million packets in it.

So it appears that checking the ring buffer option does nothing if there is no corresponding size or time criteria specified.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-08-02 19:21:32 +0000

Seen: 33 times

Last updated: Aug 03