This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

long period capture

0

Hello

I use wireshark to register data exchanged on a network (UDP data). I would like to capture data during a long period (3hours, knowing that a 5minutes capture gives a 800Mo of registered data). Problem is that wireshark does not manage to treat such a size of data: is there a PC or wireshark upgrade that could solve problem ? what do you suggest ?

Thx

Note that i am not a network expert...

This question is marked "community wiki".

asked 24 Nov '10, 08:02

Bruno_47's gravatar image

Bruno_47
6112
accept rate: 0%


One Answer:

3

You can use dumpcap (which is part of the wireshark) to do that. You can use the following command:

dumpcap -i <interface> -w <file.pcap> -f <filter> -a filesize:65536 -a files:512

This will create 512 files of 64MB and then stop, resulting in a fileset of 32GB (3hrs/5min * 800MB = +/- 29GB)

You could also create a ringbuffer of files to capture the data until a problem occurs and then stop the collection. This can be done by:

dumpcap -i <interface> -w <file.pcap> -f <filter> -b filesize:65536 -b files:512

This way after 512 files have been written, the first one will be deleted and a 513th one will be created etc.

answered 24 Nov '10, 09:24

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thanks for this idea !

(29 Nov '10, 04:52) Bruno_47

Bruno, I converted your "answer" into a "comment" to adhere to the Q&A style of this website.

(29 Nov '10, 04:57) SYN-bit ♦♦