This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Dumpcap Syntax

0

On a Windows XP system dumpcap keeps creating new files even though "files:3" is used. What is wrong with my syntax?

C:\Temp>dumpcap.exe -i1 -b files:3 -b filesize:1 -w test.pcap
File: test_00001_20101207114220.pcap
Packets: 10 File: test_00002_20101207114223.pcap
Packets: 20 File: test_00003_20101207114227.pcap
Packets: 29 File: test_00004_20101207114228.pcap
Used CTL-C to quit

asked 07 Dec '10, 08:48

Gary's gravatar image

Gary
1333
accept rate: 0%

edited 07 Dec '10, 09:02

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245


One Answer:

1

When you use "-b files:3" dumpcap will create a ringbuffer of 3 files. This means it will keep creating new files forever, but it will only keep the latest three, all others will be deleted on the fly.

If you want to make dumpcap stop after 3 files, you will have to use the "-a" options. So your command would be:

C:Temp>dumpcap.exe -i1 -a files:3 -a filesize:1 -w test.pcap

(please notice that you can't mix -a and -b options, so you have to change both).

BTW this behavior is not Windows specific, dumpcap does the same thing on other platforms.

answered 07 Dec '10, 09:00

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%