Wireshark-users: Re: [Wireshark-users] automate capture feature

From: Phil Paradis <Phil.Paradis@xxxxxxxxxxxxxx>
Date: Sat, 17 Apr 2010 01:09:11 -0700
Rotating the files every minute is going to generate a LOT of files; if the capture is going to run for any significant length of time, I'd suggest using a file size limit and/or a much longer time limit. Some filesystems will choke on directories with huge numbers of files in them; something to keep in mind when determining how many files to keep.

Captured data is written to disk pretty much as it's received (there is a delay of several seconds due to write caching by the OS) so that shouldn't be a major concern; if the box crashes during a capture, you shouldn't lose more than a few seconds worth of captured data. 

If you plan to run your capture for a long time, I'd suggest using dumpcap instead of tshark/wireshark; dumpcap simply writes the packets to disk, while the *shark tools also analyze them in real-time. As a result, the *shark tools will eventually run out of RAM trying to maintain state information over very long periods of time.

A final point to note is that for very long-running captures (many days) on Windows boxes, the accuracy of timestamps will be adversely affected. This is a limitation of the mechanism used by WinPcap to generate the timestamps with a high level of precision. Rebooting the box periodically will keep the timestamps from getting too far out of sync with reality.

On Apr 16, 2010, at 11:44 PM, Martin Visser wrote:

> While you can do what Tal says, you can do this easily in Wireshark. Before you capture, Capture->Options menu.  Under the Capture File(s) section, enter a File name, example mycapture.pcap and then select the Multiple Files checkbox and only select Next File every 1 minute. You can option specify when you want to stop.
> 
> Wireshark then will create a new file every minute called something like mycapture_00001_20100417131441.pcap (where the first set of digits is a serial number and the second is contracted form of the date.
> 
> Simple!
> 
> Regards, Martin
> 
> MartinVisser99@xxxxxxxxx
> 
> 
> On Sat, Apr 17, 2010 at 4:14 AM, Tal Bar-Or <tbaror@xxxxxxxxx> wrote: says
> Hi,
> 
> i would use first Tshark and then use file rotation( file ring buffer) lets say 2 files for 1 min and always query the last file not active.
> Next i would phrase (regexp) data needed and write it to xml and send it to central location display it via web console using Flex technology.
> Regsrds
> 
> 
> On Fri, Apr 16, 2010 at 5:38 PM, sachindeo v chavan <sachin_chavan@xxxxxxxxx> wrote:
> Hi all,
> 
> I have a query on wireshark. I have version 1.2.7.
> How can I repetitively capture network and save the capture at regular interval say every 1 min while the capture is going on?
> 
> In other words, save the captured info on the fly? that is, save every 1 min while the capture is going on.
> 
> regards
> sachin
> 
> 
> 
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
> 
> 
> 
> -- 
> Tal Bar-or
> 
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
> 
> <ATT00001..txt>

--
Phillip Paradis / Network Engineer / United Tote
Phone +1 502 509 7445 / Email phillip.paradis@xxxxxxxxxxxxxx