|
EtherealRe: [Ethereal-users] Ethereal Command Line Options |
|
||
|
|
EtherealRe: [Ethereal-users] Ethereal Command Line Options |
|
||
When I start Ethereal V0.10.14 from the command line under WinXP SP2, what is the exact syntax & units for capturing to multiple files?
Is it:-
ethereal -i 4 -k -a filesize:64 -b -w c:\traces\test.cap
I assume this starts a new file every 64M
64K; as the man page says:
-a <capture autostop condition>
Specify a criterion that specifies when Ethereal is to stop writing
to a capture file. The criterion is of the form test:value, where
test is one of:...
filesize:value Stop writing to a capture file after it reaches a
size of value kilobytes (where a kilobyte is 1024 bytes). ...and does not use a ring buffer?
-b <capture ring buffer option>
Cause Ethereal to run in "multiple files" mode. In "multiple
files" mode, Ethereal will write to several capture files. When the
first capture file fills up, Ethereal will switch writing to the
next file and so on....
The criterion is of the form key:value, where key is one of:
duration:value switch to the next file after value seconds have
elapsed, even if the current file is not completely filled up. filesize:value switch to the next file after it reaches a size of
value kilobytes (where a kilobyte is 1024 bytes). files:value begin again with the first file after value number of
files were written (form a ring buffer).I've checked in a bug fix to catch that.
So you'd probably want something such as
ethereal -i 4 -k -b filesize:65536 -w c:\traces\test.cap
Also when setting the kernel buffer with -B 20, does that set the buffer to 20M.
Yes:
-B <capture buffer size (Win32 only)>
Win32 only: set capture buffer size (in MB, default is 1MB).One final point - is there any calculations that can be performed on available free memory on the PC and the ideal file size when capturing to multiple files to avoid dropped packets?
Powered by MHonArc 2.6.10