I have this working with tshark and have successfully used it recently. Run the following command:
tshark -b filesize:20480 -b files:1000 -i eth3 -w /var/dumpcap/eth3
to capture continuously, chunking individual files to 20MB, using a ring buffer of at most 1000 files.
On 26 August 2010 13:00, kevin creason
<ckevinj@xxxxxxxxx> wrote:
This thread was very helpful-- but it wasn't working for me. It only took the first -b flag, I had to make the duration/filesize option a "-a" flag and only the "files:#" on the -b flag.
I went with the filesize rotation rather than a duration because the files from the duration of 120 seconds ranged from a few mb to 500mb on my small business network. A 500mb file in Wireshark is not easy to work with!
I want to have several hours worth to go back and look at, so we'll see how this will work. Here's my command:
dumpcap -a filesize:6000 -b files:150 -i eth3 -w /var/dumpcap/eth3
-Kevin
/*“ I am looking for a lot of men who have an infinite capacity to not know what can't be done. ” -- Henry Ford */
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe