What does ring buffer do if "create new" options aren't specified?

asked 2018-08-02 19:21:32 +0000

Matt Davis gravatar image

updated 2018-08-02 20:13:44 +0000

In the 2.6.2 version of Wireshark (and I think recent versions, too), the Output configuration includes two check boxes, one for "Create a new file automatically after..." and one for "Use ring buffer with X files."

If I enable the "ring buffer" option with 3 files, for example, but never check the "Create a new file" option, is the ring buffer actually used? I tried running a capture for a few minutes, but never saw a new file created. Is there default criteria that the "ring buffer" option uses to spread the data across multiple files?

answered 2018-08-03 14:50:02 +0000

Matt Davis gravatar image

I ran a packet capture overnight to test. There is a single pcapng file with a size of 2.9GB, and it has over 2.7 million packets in it.

So it appears that checking the ring buffer option does nothing if there is no corresponding size or time criteria specified.

Asked: 2018-08-02 19:21:32 +0000

Seen: 27 times

Last updated: Aug 03