Wireshark · Wireshark-users: [Wireshark-users] dumpcap -f question [Re: Can I get Wireshark to capture constantly, but not count

[Gregorio Tomas Focaccio <public.focaccio@xxxxxxxxx>]

Phil,

Thanks for the dumpcap tip, it looks like a near perfect fit to my needs.  You are right about a ring-buffer being superior to 'clearing the slate', that is what I wanted, but didn't have a word for it.  I wish there was a way to configure a ring-buffer within Wireshark.

The documentation I found for dumpcap did not say what happens if the -f filter argument is left off the dumpcap command.  Do you know what happens?  

I ran dumpcap -D to get: 1. eth0 2. wlan0 3. tap0 4. br0 5. eth1 6. usbmon1 (USB bus number 1) [etc.]  So, here is what I hope the command: dumpcap -b files:5 -i 4 -c 16500 -w 915PBLbr0  accomplishes:  1. Starts dumpcap and allows for a ring buffer of 5 files, each with: 915PBLbr0 in the file name  2. Captures 16,500 packets (for an individual capture file size less than 25M assuming 1500 byte MTU) in each file  3. Captures any (don't know what happens without -f argument) packet seen by the bridge0 virtual interface.  4. Never creates more that 5 capture files.

How does the command look to you?

Thanks,

Greg