John Dill <John.Dill@...> writes:
> On a unrelated note, is there some way to begin a capture in wireshark (or
one of its tools) when a packet
> matches a filter expression? For example, I have a specific packet that
triggers some process on the
> system, and I want to capture for the next 2 minutes and then stop.
This is not directly possible, no. However, you can script something
together to make this work by utilizing 2 instances of dumpcap, for example.
The first instance would wait for the capture event of interest, then
terminate, which would allow the second instance to be started up with the
capture settings you desire (e.g., capturing for 2 minutes, etc.).
If you're running on Windows, I wrote a dumpcap.bat batch file to help with
this, which I originally announced on 31 May 2014 here:
https://www.wireshark.org/lists/wireshark-users/201405/msg00030.html. It
supports 4 modes of operation (including triggered captures), supports
e-mail notification of the event with the help of mailsend, and has hooks
for user-defined actions. The latest published version of the batch file is
currently available under the Scripts section of
https://wiki.wireshark.org/Tools. It is mostly self-documented, but you can
read more about it from the link above or from some questions on
ask.wireshark.org where I thought the batch file might possibly come in
handy for other folks:
1)
https://ask.wireshark.org/questions/39456/is-there-a-way-to-stop-capture-
upon-http-error-404
2) https://ask.wireshark.org/questions/40888/custom-stop-recording-trigger
3) https://ask.wireshark.org/questions/26434/sound-alert
- Chris
P.S. Keep in mind that trigger mode might not be good enough though, as
capturing won't start until AFTER the event occurs. If you want to be sure
you capture from the event onwards, you might want to run the batch file in
"Dumpcap+Event" Mode and use a ring buffer to do continuous capturing until
the event occurs and then just set the "Event kills dumpcap?" option to "Y"
along with "Delay before kill/action" to 120 seconds in your case.