Guest

Port Monitoring

Wireshark Circular Buffer for Continuous Packet Capture Configuration Example

Techzone Article content

Document ID: 116857

Updated: Nov 22, 2013

Contributed by Somasundaram Jayaraman and Shashank Singh, Cisco TAC Engineers.

   Print

Introduction

This document describes how to configure the circular/ring buffer feature of Wireshark in order to have enough storage space to run continuous sniffer captures.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

This document is not restricted to specific software and hardware versions.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Background Information

In many troubleshooting scenarios, you must run sniffer captures continuously in order to capture the packets. However, in most of the scenarios, there is not enough storage space for these files. As a workaround, you can configure the circular/ring buffer feature of Wireshark, so that Wireshark overwrites the files based on the file size specified, which consumes less storage space.

In the ring/circular buffer mode, Wireshark writes to several capture files. The file names are based on the number of the file and on the creation date and time. When the first capture file becomes full, Wireshark begins to write to the next file, and so on. This process fills new files until it reaches the number of files specified, at which point the data in the first file is discarded so that a new file can be written.

Ring Buffer Configuration

Note: The span configuration must be present on the device, so that the packets are sent to the capture port where the laptop/PC is connected. Additionally, the laptop/PC must run Wireshark.

Complete these steps in order to configure the ring buffer on your device.

  1. Ensure that the capture port is in the up/down (monitoring) state, and the output rate increments on the interface.

  2. Navigate to Capture > Options in Wireshark:



  3. Choose the correct Ethernet interface.

  4. Name the file, and check the Use multiple files check box.

  5. Check the Next file every 1 MB or 1 minute check box.

  6. Check the Ring buffer with < number> of files check box.

    Note: This is the number of files after which it overwrites the older ones.




  7. Click Start in order to initiate the packet capture with the circular buffer.




    All of the files displayed in the previous image are .pcap files, which can be opened with Wireshark.

This procedure allows you to run a continous sniffer on the device, and store the files on the capture device that runs Wireshark. Then, if you do not need the files, you can delete them, which conserves storage space on the end device.

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Updated: Nov 22, 2013
Document ID: 116857