This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark from the command line

0

We need to tracing at the same time every day until we can nail down a problem we are having with our system (which is intermittent). It is a machine with multiple interfaces but only one is involved in the problem.

When we start up wireshark on the server and have it write to a file it locks up / dies after about 50 minutes. If I look at the memory on the box I can see that it climbs and climbs and climbs until there is no more memory for WS to grab.

Rather than try to fix wireshark we want to log on, run a batch file which will start wireshark for us, have it create files of 100MB each and just keep creating file after file until 45 minutes have passed, then it will shut down. (In the batch file it will then start up again but that is not the issue).

Currently I cannot get the app to create multiple files for X amount of time, here is the entire bat file, (below that is the line that starts the app):

**Note: this bat uses shorter times and smaller files to prove function before going for the full length:

@echo on
set start=0
set /p end= Enter Number of times to loop, 6 loops of 10 minutes are 1 hour: 
:loop
if %start%==%end% goto stop
"C:\Program Files\Wireshark\wireshark.exe" -i \Device\NPF_{D6FB4DD7-AEBF-49B5-9409-6421DC62BC1F} -a duration:600 -b filesize:100 -w C:\TempWireShark\Results\IVR1.cap -k -Q
set /a start=%start%+1
goto loop
:stop

this is my command line currently: C:\Program Files\Wireshark\wireshark.exe" -i \Device\NPF_{D6FB4DD7-AEBF-49B5-9409-6421DC62BC1F} -a duration:600 -b filesize:100 -w C:\Temp\WireShark\Results\IVR1.cap -k -Q. It creates one file of the specified filesize (I have made it larger and smaller to test with) then shuts down. The bat will re-start WS but it only wrote one file and did not run creating more files until the time specified in the -a is reached.

Any ideas how to fix this?

We are using WS because we periodically check what is happening and examine some of the packets as they are coming in so we want to be able to see them.

asked 13 Sep '11, 13:32

Sandy%20Murdock's gravatar image

Sandy Murdock
1222
accept rate: 0%

edited 14 Sep '11, 04:00

Jaap's gravatar image

Jaap ♦
11.7k16101


One Answer:

0

The Out of Memory bug is well-known. You should use dumpcap for this task, although you could use tshark if you want to watch the capture while it's in progress. Automating the Wireshark GUI is not a readily scriptable task. You can always review files created with dumpcap or tshark with Wireshark post-mortem for further in-depth analysis.

answered 13 Sep '11, 13:48

multipleinterfaces's gravatar image

multipleinte...
1.3k152340
accept rate: 12%

Note that, as TShark dissects packets, its memory usage will grow over time if you're running it to capture for a very long time.

(13 Sep '11, 14:04) Guy Harris ♦♦