First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

tshark ring-buffer duration vs interval

I am looking at the documentation for tshark -b, and it's unclear to me what the difference is between "interval" and "duration". Both are in seconds and at the end of NUM seconds, the file rotates.

For example, what is the difference between these two commands?

tshark -b files:5 -b duration:10 -w file
tshark -b files:5 -b interval:10 -w file

In both cases, I see the filename endings change and increase by 10 about every 10s that look something like this:

bash:/tmp/duration-test$ ls -1
file_00003_20190808003713
file_00004_20190808003723
file_00005_20190808003733
file_00006_20190808003743
file_00007_20190808003753
Ross Jacobs's avatar
71
Ross Jacobs
asked 2019-08-08 07:41:13 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

2

From the man page:

duration:value switch to the next file after value seconds have elapsed, even if the current file is not completely filled up. Floating point values (e.g. 0.5) are allowed.

interval:value switch to the next file when the time is an exact multiple of value seconds

Using a value of 8 seconds I got the following output with duration:

_00001_20190808113539
_00002_20190808113547
_00003_20190808113555
_00004_20190808113604
_00005_20190808113612
_00006_20190808113621

and for interval:

_00001_20190808112634
_00002_20190808112640
_00003_20190808112648
_00004_20190808112656
_00005_20190808112704
_00006_20190808112712

You can see that duration is (approximately) equally spaced after the initial start time whereas the interval starts the second file at the next multiple of 8 (not sure where it starts from, maybe the current minute). Given a larger interval, e.g. 3600, I suspect that after the first file, all others will start on an exact hour boundary.

grahamb's avatar
23.8k
grahamb
answered 2019-08-08 10:38:20 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Makes sense to me. Thanks for the quick response.

Ross Jacobs's avatar Ross Jacobs (2019-08-08 15:20:36 +0000) edit
more
  • delete

The duration option has been available for a long time, but I was always more interested in clean time intervals instead so I added the interval option. Whenever "<epoch-seconds> DIV <interval>" rolls over to the next value, a new file is created. So for 8 second intervals, it is not on a nice minute boundary. But for intevals of 5, 6 or 10 seconds it makes more sense :-)

SYN-bit's avatar SYN-bit (2019-08-13 05:15:18 +0000) edit
more
  • delete

Hi Sake,

If this is your baby, can you add text to the manpage and --help? The example that Graham provided with numbers is clear, and right now, existing documentation is not.

Thanks for making this feature, Ross

Ross Jacobs's avatar Ross Jacobs (2019-08-13 07:05:05 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer