Ask Your Question

Revision history [back]

dumpcap -w option with -b option does not seem to work

Running dumpcap on Ubuntu 18.04 LTS 64-bit. I can run Wireshark in the GUI just fine, can capture packets, etc. Now I want to run dumpcap, using a ring buffer option to start a new file every 60 seconds. I use the command line:

   sudo dumpcap -i enp0s3 -w `pwd`/dump.pcapng -b interval:60 -q

No matter what I do, so long as I have the -b option on the command line, I get grousing:

  Capturing on 'enp0s3'
   dumpcap: The file to which the capture would be saved ("/home/jgustavson/dump.pcapng") could not be opened: 
   No such file or directory.

This seems like it should be obvious and simple, yet, I cannot get it to work. If I remove the -b option it works. If I remove the -w option, I get a warning about temp file not being saved:

dumpcap: Ring buffer requested, but capture isn't being saved to a permanent file.
Capturing on 'enp0s3'
File: /tmp/wireshark_enp0s3_20200610164649_cNvi03.pcapng

Is this really that hard to suss out? or, is this code really this broken? Insights anyone?

The version information is as follows:

Dumpcap (Wireshark) 2.6.10 (Git v2.6.10 packaged as 2.6.10-1~ubuntu18.04.0)

Copyright 1998-2019 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.56.4, with zlib 1.2.11, with libpcap, with POSIX
capabilities (Linux), with libnl 3.

Running on Linux 5.3.0-53-generic, with        Intel(R) Core(TM) i7-3770K CPU @
3.50GHz (with SSE4.2), with 1987 MB of physical memory, with locale C, with
libpcap version 1.8.1, with zlib 1.2.11, binary plugins supported (0 loaded).

Built using gcc 7.4.0.

enter code here

dumpcap -w option with -b option does not seem to work

* UPDATED TO MERGE THE DUPLICATE QUESTION INFO *

Running dumpcap on Ubuntu 18.04 LTS 64-bit. I can run Wireshark in the GUI just fine, can capture packets, etc. Please note that I can run dumpcap, outputting to a temporary file. That works. My user is in the group 'wireshark' and yes I chose those pcap installation options to have it work that way. So, from a basic permissions point of view, dumpcap does run, does capture packets.

If there is some reason anyone knows why "sudo command" is not the same as "running as root" then please tell me.

My problem is not having ANY success getting the output options to work properly.

They seem very broken.

First of all, just using the -w filename option does not work unless I first create the file. That does not make any sense to have it work that way!

sudo dumpcap -i enp0s3 -w `pwd`/myfile.pcapng  -q
Capturing on 'enp0s3'
dumpcap: The file to which the capture would be saved ("/home/jgustavson/myfile.pcapng") could not be opened: Permission denied.

Notice that the file in fact does not exist but the program says "Permission denied" as the error. I am in my home directory at the time. If I create the file via echo foo >myfile.pcapng and then try the dumpcap command, it works. Very unexpected!

sudo dumpcap -i enp0s3 -w `pwd`/myfile.pcapng  -q
Capturing on 'enp0s3'
File: /home/jgustavson/myfile.pcapng
Packets captured: 141
[ctrl-C here]
Packets received/dropped on interface 'enp0s3': 141/0 (pcap:0/dumpcap:0/flushed:0/ps_ifdrop:0) (100.0%)

Anyone understand why dumpcap seems to be incapable of creating a file if I tell it the name to use with the -w option? If I leave the -w option out, it will create and write to a temporary file just fine.

What I really want to do is set up a ring buffer option, so dumpcap will start a new file every nnn seconds:

sudo dumpcap -i enp0s3 -w `pwd`/myfile.pcapng -b interval:60 -q
Capturing on 'enp0s3'
dumpcap: The file to which the capture would be saved ("/home/jgustavson/myfile.pcapng") could not be opened: No such file or directory.

... but as you can see, that fails too. (yes, I had deleted myfile.pcapng before running the command, to start "clean") If I leave out the -w option it complains "dumpcap: Ring buffer requested, but capture isn't being saved to a permanent file."

Now I want to run dumpcap, using a ring buffer option to start a new file every 60 seconds. I use the command line:

   sudo dumpcap -i enp0s3 -w `pwd`/dump.pcapng -b interval:60 -q

No matter what I do, so long as I have the -b option on the command line, I get grousing:

  Capturing on 'enp0s3'
   dumpcap: The file to which the capture would be saved ("/home/jgustavson/dump.pcapng") could not be opened: 
   No such file or directory.

This seems like it should be obvious and simple, yet, I cannot get it to work. If I remove the -b option it works. If I remove the -w option, I get a warning about temp file not being saved:

dumpcap: Ring buffer requested, but capture isn't being saved to a permanent file.
Capturing on 'enp0s3'
File: /tmp/wireshark_enp0s3_20200610164649_cNvi03.pcapng

Is this really that hard to suss out? or, is this code really this broken? Insights anyone?

The version information is as follows:

Dumpcap (Wireshark) 2.6.10 (Git v2.6.10 packaged as 2.6.10-1~ubuntu18.04.0)

Copyright 1998-2019 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.56.4, with zlib 1.2.11, with libpcap, with POSIX
capabilities (Linux), with libnl 3.

Running on Linux 5.3.0-53-generic, with        Intel(R) Core(TM) i7-3770K CPU @
3.50GHz (with SSE4.2), with 1987 MB of physical memory, with locale C, with
libpcap version 1.8.1, with zlib 1.2.11, binary plugins supported (0 loaded).

Built using gcc 7.4.0.

enter code here