Skip to content
Log in

Ring buffer capture

Definition

A capture mode in which the tool writes successive PCAP files of a fixed size or duration, overwriting the oldest when the buffer is full. Used for continuous monitoring where indefinite storage is not available. In forensic deployments, the ring buffer is typically frozen (stopped) the moment an incident is declared, to preserve the files covering the relevant window.

Related terms

BPF (Berkeley Packet Filter)
A kernel-level packet filtering mechanism used by tcpdump, Wireshark, and most capture tools to select which packets are written to disk. BPF...
Network tap
A hardware device inserted inline in a network cable path that passively copies the electrical or optical signal to one or more...
PCAP / PCAPng
The standard file formats for storing captured packets. PCAP (libpcap format) is the legacy standard supported by virtually all tools. PCAPng (Next...
Promiscuous mode
A network interface operating mode in which the card passes all received frames to the capture software, not just frames addressed to...
SPAN port (port mirroring)
A switch feature that copies frames from one or more source ports or VLANs to a designated destination port, where a capture...

Explained in

  • Packet Capture Tools and MethodsA capture mode in which the tool writes successive PCAP files of a fixed size or duration, overwriting the oldest when the buffer is full. Used for continuous...

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account