This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Dumpcap - Odd file size

0

I am running dumpcap via the command

sudo dumpcap -i 2 filesize:200000 -b files:2500 -B 1024 -w /media/root/CORE/capture/capture.pcapng

and noticed that despite downloading a 400MB~ file, on a repeater network (meaning the actual noise generated would be 800MB~) that my .pcapng was a mere 200MB!

Is this normal, compression or something else? Or am I missing an excessive amount of packets? Thanks!

note: its possible -B may need to be increased?

asked 17 Oct '17, 16:47

Cevestas's gravatar image

Cevestas
16225
accept rate: 0%

edited 17 Oct '17, 16:49

One Answer:

0

The syntax of your command is incorrect. Did you mean to write the following instead?

sudo dumpcap -i 2 -b filesize:200000 -b files:2500 -B 1024 -w /media/root/CORE/capture/capture.pcapng

The -b filesize:200000 option will limit each file in the ring buffer to 200000 kB (or 200 MB). Refer to the dumpcap man page for more information. While it's possible there were dropped packets, the rest of the captured packets are almost certainly just written to the other files that were part of your ring buffer. Check your /media/root/CORE/capture/ directory for the other files.

answered 17 Oct '17, 19:31

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

There are no other files in that directory (though have I have tested the ring buffer is working, I believe the file was just under 200MB when I killed the capture)

It seems that you're implying that if 1G was transferred (and all packets captured), then the .pcapng would 1G~?

Thank you! It's very nice to have a helpful forum like this.

(17 Oct '17, 19:47) Cevestas

You wrote, filesize:200000 but you missed the preceding -b; it should be -b filesize:200000 as I wrote. The result of using this option is that it will limit each file to 200MB and then close that file and start a new one, so no file will be bigger than 200MB.

If 1GB of data was transferred over the interface specified, then I'd expect you to have at least 5 files, each 200MB in size. If that's not the case, then you either dropped a ton of packets or the data was transferred on a different interface than you were capturing or ... something else TBD.

(17 Oct '17, 19:55) cmaynard ♦♦