Articles

Wireshark Ring Buffer Capture: Continuous Long-Running (2026)

April 6, 2026 5 min read

The core problem is that tcpdump/tshark (and by extension, Wireshark’s capture engine) will eventually run out of memory or disk space if you try to capture traffic indefinitely without a strategy.

Common Causes and Fixes for Wireshark Ring Buffer Capture Issues

The most common reason you’re hitting a wall with long-running captures is that the capture file grows without bound, eventually exhausting disk space or your system’s RAM if it’s being written to memory. The solution is to implement a ring buffer, which overwrites old data with new data once a certain size or time limit is reached.

Here are the most frequent culprits and how to tackle them:

  1. No Ring Buffer Configuration: File Grows Indefinitely

    • Diagnosis: You start a capture, and after a while, your disk fills up, or the capture process hangs. You’ll see errors like "No space left on device" or the capture process consuming massive amounts of RAM.
    • Fix: Use the -C (file size limit) and -W (number of files) options with tcpdump or tshark. For example, to capture to files up to 100MB each, keeping only the last 5 files:
      tcpdump -i eth0 -s 0 -C 100 -W 5 -w /path/to/capture/capture.pcap
      Or with tshark:
      tshark -i eth0 -s 0 -C 100 -W 5 -w /path/to/capture/capture.pcap
    • Why it works: This tells tcpdump/tshark to start a new file when the current one reaches 100MB, and to delete the oldest file once it has 5 files in rotation. This creates a rolling window of your most recent traffic.

  2. Incorrect File Size (-C) Value: Files Too Small or Too Large

    • Diagnosis: You’ve set -C, but either files are being rotated too frequently (e.g., every few seconds, making analysis difficult) or not frequently enough (disk still fills up).
    • Fix: Adjust the -C value based on your disk space and the expected traffic volume. If you have 1TB of disk and want to retain 24 hours of data with 5 files, estimate your traffic rate. If you see 100MB per minute, then a 500MB file size (-C 500) would give you roughly 5 minutes of data per file, and 5 files would give you 25 minutes. For 24 hours, you’d need a much larger -C or more files. A common starting point for moderate traffic is 500 (MB).
      tcpdump -i eth0 -s 0 -C 500 -W 10 -w /path/to/capture/capture.pcap
    • Why it works: The -C value directly controls how much data is written to a single file before a new one is created, directly impacting how often rotation occurs.

  3. Insufficient Disk Space for Rotation:

    • Diagnosis: Even with ring buffering, the capture fails because the cumulative size of the files in the buffer exceeds available disk space.
    • Fix: Ensure that NumberOfFiles * FileSizeBytes is less than your available disk space. If you use -C 100 -W 10, you need at least 1GB of free space. If disk is tight, reduce -W or -C.
      # Check free space
df -h /path/to/capture/

# If space is low, reduce file count
tcpdump -i eth0 -s 0 -C 100 -W 5 -w /path/to/capture/capture.pcap
    • Why it works: The system needs enough contiguous free space to hold all the files in the rotation simultaneously before the oldest one is deleted.

  4. Permissions Issues for Writing Files:

    • Diagnosis: The capture process starts but immediately fails with "Permission denied" errors when trying to create the first capture file.
    • Fix: Ensure the user running tcpdump or tshark has write permissions to the directory specified in the -w option.
      sudo chown <user>:<group> /path/to/capture/
sudo chmod u+w /path/to/capture/
# Or run as root if appropriate and necessary
sudo tcpdump -i eth0 -s 0 -C 100 -W 5 -w /path/to/capture/capture.pcap
    • Why it works: The capture process is a user-space application and needs explicit OS-level permissions to write files to disk.

  5. Buffer Overflow in the Kernel (Less Common with Ring Buffers but Possible):

    • Diagnosis: You’re capturing very high-speed traffic, and even with ring buffers, you see packets being dropped (indicated by packets dropped by kernel in tcpdump’s summary or tshark’s statistics). This isn’t a "capture stopped" error, but a data loss error.
    • Fix:
      • Increase Kernel Buffers: For tcpdump, use the -B option to set the buffer size in KB. For tshark, this is less direct and often relies on system-wide settings.
        # Example with tcpdump, setting buffer to 1MB (1024 KB)
tcpdump -i eth0 -s 0 -C 100 -W 5 -B 1024 -w /path/to/capture/capture.pcap
      • Optimize Capture Interface: Ensure your network interface is not overloaded or misconfigured.
      • Use a Faster Machine/Disk: If traffic rates are extremely high, the system might simply not be able to keep up.
    • Why it works: The kernel buffer acts as a temporary holding area for packets before they are passed to the user-space capture program. A larger buffer gives the program more time to read packets, reducing the chance of kernel drops.

  6. Incorrect snaplen (-s) Setting:

    • Diagnosis: You’re capturing but the files are unexpectedly small, or you’re missing critical parts of packets (e.g., payload data). This won’t typically stop a capture but will render it useless.
    • Fix: Set snaplen to 0 to capture the full packet.
      tcpdump -i eth0 -s 0 -C 100 -W 5 -w /path/to/capture/capture.pcap
    • Why it works: The snaplen option defines how many bytes of each packet are captured. A value of 0 means "capture the entire packet," which is usually what you want for comprehensive analysis.

After fixing these, the next error you might encounter is a "Resource temporarily unavailable" if the disk I/O becomes a bottleneck during rapid file rotation on a slow storage device.

More Deep Dives in Wireshark

Want structured learning?

Take the full Wireshark course →