First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

What does ring buffer do if "create new" options aren't specified?

In the 2.6.2 version of Wireshark (and I think recent versions, too), the Output configuration includes two check boxes, one for "Create a new file automatically after..." and one for "Use ring buffer with X files."

If I enable the "ring buffer" option with 3 files, for example, but never check the "Create a new file" option, is the ring buffer actually used? I tried running a capture for a few minutes, but never saw a new file created. Is there default criteria that the "ring buffer" option uses to spread the data across multiple files?

Matt Davis's avatar
9
Matt Davis
asked 2018-08-02 19:21:32 +0000, updated 2018-08-02 20:13:44 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

I ran a packet capture overnight to test. There is a single pcapng file with a size of 2.9GB, and it has over 2.7 million packets in it.

So it appears that checking the ring buffer option does nothing if there is no corresponding size or time criteria specified.

Matt Davis's avatar
9
Matt Davis
answered 2018-08-03 14:50:02 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer