This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Save output of sessions to continuous logs

0

I want to capture everything from a mirrored port to my router. I want to be able to get captures in one hour increments continuously for four days then start wrapping these captures so the hard drive does not fill up.

Is there a way to leave Wireshark running, then “cut pcap’s” every hour, then start wrapping these files after four days?

asked 03 Jan '11, 07:48

georgeshark's gravatar image

georgeshark
1112
accept rate: 0%


4 Answers:

1

A command I use very often is:

dumpcap -i eth0 -w file.cap -b filesize:16384 -b files:1024

This command will capture from interface eth0 to a ring buffer of 1024 files of 16MB size. The filenames will be file_NNNNN_YYYYMMDDHHMMSS.cap. After the 1024th file has been written, the 1st will be deleted and the 1025th will be created.

Of course you can change the parameters to your liking. If you do want one-hour files for 4 days, you can use:

dumpcap -i eth0 -w file.cap -b duration:3600 -b files:96

Of course you have no guarantee that your drive won't fill up, as you don't know how much data will be in each hour.

answered 03 Jan '11, 12:49

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

I am using this: dumpcap -i 2 -w file.cap -b duration:3600 -b files:96 : and it works great. This is saving everything to the files.

Since I am using VoIP on the machine, is there a way to exclude RTP traffic from the file? I want to 'see' everything else, just not the RTP.

I tried using tshark with a !(RTP) but, with the -R you can't save it to and file AND exclude traffic. Can I do it using dumpcap?

Thanks again

(06 Jan '11, 07:41) georgeshark

(I converted your answer to a comment to preserve the logical order of messages)

No, you can't use display filters with dumpcap as it does not do any dissection of packets. You can however use capture filters. So if you can make a capture filter that filters out RTP, then you're in business.

Does your voip traffic use speficic IP addresses to exclude? Or maybe it is in a separate vlan and you are capturen traffic on a tagged interface?

(06 Jan '11, 09:17) SYN-bit ♦♦

1

In Wireshark, if you go to the Capture Options before starting your capture, you can do what you need Simply specify a folder and filename (which becomes the prefix for subsequent capture), check Use Multiple Files.Then check the box and fill-in Next File Every "1 hour" and check and fill-in Ring Buffer with "96" files. Note however that Wireshark will attempt to dissect the traffic it captures and consumes memory doing so.

So as has been pointed out by Sake and Bill, dumpcap is probably the best for continuous logging, as it does a raw capture and doesn't need to do any dissecting to build up state and consume memory.

answered 03 Jan '11, 19:16

martyvis's gravatar image

martyvis
8911525
accept rate: 7%

0

For continuous capturing, use dumpcap (the program used by wireshark and tshark to do the actual capture).

Also: see 'dumpcap -h' (or the dumpcap man page) for info on how to limit capture files to one hour and how to wrap the files after "n" files.

answered 03 Jan '11, 07:56

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

0

Thanks all, these are great ways to do this..

answered 04 Jan '11, 05:38

georgeshark's gravatar image

georgeshark
1112
accept rate: 0%