THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Ring buffer "file doesn't exist" error

Hello,

I am getting an error whenever I try to run a capture using a ring buffer.

Steps: 1. From the Capture window: select the interface 2. In the Output tab, provide a filename and directory in the "File:" box (i.e. C:/capture.pcapng) 3. Select "Create a new file automatically after..." and select the first box. Choose a small file size (100 kB for example) 4. Select "Use a ring buffer with", and choose a number (3 or 4 for example) 5. Start the filter

After a few minutes, I will receive an error that says "The file "capture####.pcapng does not exist".

When I check the directory, there will be a set of linked files, with a count of one more than the number I specified (if I chose a ring buffer of 3, there will be four files), but the last one is incomplete.

Does anyone else get this error? Any ideas?

SteveC's avatar
3
SteveC
asked 2018-06-25 22:20:14 +0000, updated 2018-06-25 22:22:30 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Which Wireshark and OS version? This works for me on Windows 10 with 2.6.1, and using either forward or backward path separators in the output file name.

grahamb's avatar grahamb (2018-06-25 22:58:34 +0000) edit
more
  • delete

Thank you for the feedback. I am using 2.6.1 on Windows 7. I will keep playing with it to see if I can find anything else that might be unique.

SteveC's avatar SteveC (2018-06-25 23:20:18 +0000) edit
more
  • delete

It's possible that AV software might be interfering, you could try temporarily disabling that. You might also try an output path that is in a directory and not in the root of the c: drive.

grahamb's avatar grahamb (2018-06-25 23:32:07 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

This is a long-known problem/limitation with the ring buffer implementation.

Fundamentally the problem is that the ring buffer files are rotating/switching faster than Wireshark is reading them.

To avoid the problem you need to slow down the packet rate (e.g., with capture filters) or speed up Wireshark (making it do less work). Just using bigger files may help too.

JeffMorriss's avatar
6.4k
JeffMorriss
answered 2018-06-27 15:45:23 +0000
edit flag offensive 0 remove flag delete link
more

Comments

This is very helpful. Thank you for clarifying :)

SteveC's avatar SteveC (2018-06-27 16:21:26 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer