Wireshark-users: Re: [Wireshark-users] Live capture stops suddenly
From: Chris Henderson <henders254@xxxxxxxxx>
Date: Wed, 18 Mar 2009 14:55:58 +1100
On Sat, Mar 14, 2009 at 2:09 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
>
> On Mar 12, 2009, at 8:15 PM, Chris Henderson wrote:
>
>> I am running wireshark/ ethereal version 1.0.4 on Linux. My only
>> network interface is eth0 and when I start a live capture on eth0, it
>> stops capturing any packet after a while. It's hard to say when it
>> actually stops the capture as it's quite random. It doesn't give any
>> error, just sits there not capturing anything; although in the bottom
>> panel I can see: eth0: live capture in progress message. I have over
>> 10GB disk space in my /tmp directory.
>
> Is dumpcap still running when packets stop arriving?

I started dumpcap after wireshark stopped capturing and dumpcap
staretd capturing packets.

> What happens if you try running dumpcap, or tcpdump, from a terminal
> window?  Does it also stop seeing packets after a while?

dumpcap stops after a while as well. Here's the output

# dumpcap
File: /tmp/etherXXXXm6M5no
Packets: 13831

it stopped at that. when I did ^c it said: Packets dropped: 17716

the file size (/tmp/etherXXXXm6M5no) grew to 2042160 and stopped as well.

> Are you using ring buffers?

not sure what that is - so probably no.