Knowledge Base
cancel
Showing results for 
Search instead for 
Did you mean: 

How to setup a Wireshark capture ring buffer for continuous capturing of network data limited to a specific amount of hard disk space.

Issue

In order to troubleshoot random network issues it is sometimes necessary to set up Wireshark to capture network traffic for an extended period of time. As Wireshark runs it decodes packets and its data structures grow.  This causes performance issues and eventually Wireshark may simply run out of virtual memory and stop capturing or crash.

Environment

Wireshark

Cause

Need to capture network traffic using Wireshark for extended period of time.

Resolution

Use DumpCap as follows

When capturing data Wireshark actually uses a capture utility called DumpCap to do the actual data capture, DumpCap does not  decode packets as they come in and thus has a smaller memory footprint which remains constant, the only remaining concern is the size of the capture file or files which can be specified when stating the ring buffer to keep them from growing too big.

DumpCap is found at the location where the Wireshark program resides which can bee seen if you go to Help\About Whireshark\Folders

1. Determine the index to the Ethernet adapter you need to capture on.

In this example we want to capture the traffic seen by the Broadcom NetXtreme Gigabit Ethernet adapter, so we need to specify index 1 when we start DumpCap.

2.

We execute DumpCap with the following options

dumpcap -i 1 -b files:3 -b filesize:10 -w C:]temp\abe.pcapng

-i 1 specifies tp capture on the network adapter with index of 1

-b file: 3 specifies to use a 4 file ring buffer.

-b filesize:10 specifies to limit the file size to 10 KB (*** for a real life capture this number would be much bigger like say 100/200 MB)

-w c:\temp\abe.pcapng specifies location and prefix for the three files

3:

In the screen shot below we can see the files in the ring buffer being used, once a file reaches the specified limit, the capture continues at the next file, files are names using the specified prefix as well as a date-time stamp that is updated each time utility dumps captured data in the file.

Care should be taken to stop the capture as soon as possible once the issue under investigation takes place and before the ring buffer wraps around and overwrites the data.

Tags (2)
Version history
Revision #:
1 of 1
Last update:
‎2018-09-10 10:21 AM
Updated by: