Wireshark-dev: Re: [Wireshark-dev] proto.h extension
From: "John Dill" <John.Dill@xxxxxxxxxxxxxxxxx>
Date: Fri, 8 May 2015 09:07:04 -0400
>Message: 2 >Date: Thu, 7 May 2015 17:58:46 +0000 (UTC) >From: Christopher Maynard <Christopher.Maynard@xxxxxxx> >To: wireshark-dev@xxxxxxxxxxxxx >Subject: Re: [Wireshark-dev] proto.h extension >Message-ID: <loom.20150507T193823-35@xxxxxxxxxxxxxx> >Content-Type: text/plain; charset=us-ascii > >John Dill <John.Dill@...> writes: > >> On a unrelated note, is there some way to begin a capture in wireshark (or >one of its tools) when a packet >> matches a filter expression? For example, I have a specific packet that >triggers some process on the >> system, and I want to capture for the next 2 minutes and then stop. > >This is not directly possible, no. However, you can script something >together to make this work by utilizing 2 instances of dumpcap, for example. > The first instance would wait for the capture event of interest, then >terminate, which would allow the second instance to be started up with the >capture settings you desire (e.g., capturing for 2 minutes, etc.). > >If you're running on Windows, I wrote a dumpcap.bat batch file to help with >this, which I originally announced on 31 May 2014 here: >https://www.wireshark.org/lists/wireshark-users/201405/msg00030.html. It >supports 4 modes of operation (including triggered captures), supports >e-mail notification of the event with the help of mailsend, and has hooks >for user-defined actions. The latest published version of the batch file is >currently available under the Scripts section of >https://wiki.wireshark.org/Tools. It is mostly self-documented, but you can >read more about it from the link above or from some questions on >ask.wireshark.org where I thought the batch file might possibly come in >handy for other folks: > >1) >https://ask.wireshark.org/questions/39456/is-there-a-way-to-stop-capture- >upon-http-error-404 >2) https://ask.wireshark.org/questions/40888/custom-stop-recording-trigger >3) https://ask.wireshark.org/questions/26434/sound-alert > >- Chris >P.S. Keep in mind that trigger mode might not be good enough though, as >capturing won't start until AFTER the event occurs. If you want to be sure >you capture from the event onwards, you might want to run the batch file in >"Dumpcap+Event" Mode and use a ring buffer to do continuous capturing until >the event occurs and then just set the "Event kills dumpcap?" option to "Y" >along with "Delay before kill/action" to 120 seconds in your case. Thank you, I will take a look and give it a try. Best regards, John D.
<<winmail.dat>>
- Prev by Date: Re: [Wireshark-dev] Gerrit upgrade tomorrow
- Next by Date: Re: [Wireshark-dev] proto.h extension
- Previous by thread: Re: [Wireshark-dev] proto.h extension
- Next by thread: Re: [Wireshark-dev] proto.h extension
- Index(es):