1 | initial version |
Assuming you have a known network interface where you can capture this behaviour, what you can do is run dumpcap, not Wireshark, in ring buffer mode. That will capture the traffic which you can then pick up when the event is reported. Running dumpcap will not analyse the traffic, so won't blow out of memory when running for a long time. Tweak the ring buffer parameters to your needs, i.e. capture file sizes you can handle, retention time, available storage size, etc.