Wireshark-users: Re: [Wireshark-users] how to start Wireshark automatically at each boot-up?

From: Bill Meier <wmeier@xxxxxxxxxxx>
Date: Thu, 14 Jan 2010 10:31:30 -0500
Karthik Balaguru wrote:
On 1/14/10, Forthofer Russ <Russ.Forthofer@xxxxxxxxx> wrote:
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Karthik Balaguru
Sent: Thursday, January 14, 2010 8:30 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] how to start Wireshark automatically at each boot-up?

On 1/14/10, Hrishikesh Murali <hrishikeshmurali88@xxxxxxxxx> wrote:
Hi,
On Thu, Jan 14, 2010 at 5:20 AM, Dai Nish <dai_nish@xxxxxxxxxxx> wrote:


Please advise me how you could start Wireshark automatically and use
it to
monitor network traffic at each boot-up.

Just add the line "wireshark&" to /etc/rc.local
Will wireshark be able to select the interface by just adding the above line ? I think, it will only start the wireshark.

use the "-i <interface>" option.     "wireshark -h" will show you the commandline options available.


Interesting !
So invoking the wireshark by adding the line "wireshark&" to /etc/rc.local along
with the '-i' option solves the interface selection problem.
I checked the below link
-http://www.wireshark.org/docs/wsug_html_chunked/ChCustCommandLine.html
I find very good support in command line for conveying the 'capture
stop conditions' and various methods of handling large number of
output logs to 'capture output'.


One comment:

Using Wireshark directly is not suitable for long-term captures. It dissects frames as they are received and accumulates info in memory about the frames. It will thus use more and more memory as time goes on.

The program which should be used is Dumpcap (installed along with Wireshark & etc) which is the program invoked by Wireshark to capture data.

Dumpcap can be used to just write a capture to a file (or files).

See the man page, the User's Guide and etc for more information.