How to collect Wireshark capture with rotation (ring-buffer)

[KAVabunga]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

In cases when you need to diagnose an intermittent network issue, or capture an event that occurs only once in a while, you may need to use ring-buffer mode in Wireshark. In this mode, the number and overall size of the capture files will be fixed and when the limit will be reached, the newest data will start continuously overwrite the oldest data in the capture buffer.

Below, you will find instructions for how to configure this capture mode:

1. Download and install Wireshark from the official website, if you have not done that already.
2. Launch Wireshark and click Capture options.
   
    
3. On the Input tab, uncheck option Enable promiscuous mode on all interfaces and select interfaces from which you want to capture traffic. If you are not sure which ones to select, look at the graphs in the Traffic column to determine which interfaces are active and select all of them. If you are completely lost, you can also select all interfaces.
   
    
4. On the Output tab you configure where the resulting files will be saved, the ring buffer capture is also configured here. It's a good idea to create a separate folder to store the capture files.
   
   The screenshot below shows optimal configuration for the capture settings.
   
   
   Note that the space occupied by the capture files will be equal to the size of a single capture file multiplied by the number of files in the ring buffer. In our example it's 500 MB * 8 = 4000 MB, which is the optimal size to upload to Company Account portal. You can modify these parameters to allocate more or less space for the capture files, though we don't recommend making it less than 2 GB.
   
   Use of compression is optional. With it, more data can be stored within the same file size, but it also can increase load on the CPU. Disable this option in case of performance problems.
    
5. When everything is configured, click Start to start the capture.
   
   Please, pay attention that when capturing traffic in the ring buffer mode, it's very important to monitor for the occurrence of the event that you need to record and disable capture as soon as possible after the event has occurred, otherwise the relevant part of the capture may be overwritten. The timing is especially important, when using smaller sizes of the buffer.
    
6. When the capture is finished, click Stop capturing packets, then Close this capture file.
   
    
7. Pack the resulting files into an archive and upload it to your Company Account.
   

Edited June 16 by KAVabunga