Can a capture be saved in files on multiple drives?
I am new to Wireshark and would like to set up three two terabyte drives to record network. The plan is to connect the three drives to a USB hub and record three month's work of network activity. Is it possible that when one drive is full, Wireshark starts recording on the second drive then when that's full start on the third drive? The idea is to continuously do this like a revolving door.
What operating system will the capture system be running?
On a Mac Mini server with Catalina and Wireshark, that is been fed from a Mikrotik RB450Gx4 and the RouterOS sniffer tool. I had tested it with for a whole week during my learning process, and it went smoothly.
It seems from the following responses that the Wireshark software is limited to capturing and recording onto the flash drive (USB3) ... I might need to use scripting/automate on the OS to switch drives when the first drive is full. Now, I am thinking how to get Wireshark to recognize when the switch occurred and to start recording again. My idea is to dissect and analyze alert issue identified by the IDS/IPS. My network consists of ISP > pfSense > Mikrotik > managed switch >clients.
Yes, this is more of a data archiving project than a tweak the file destinations for Wireshark project.
Create a new file automatically…
You might also look at what Security Onion does to cycle through capture files.
I had thought of Security Onion but when I realize it was easy to use the Wireshark to capture and record from the Mikrotik since traffic from the Mikrotik to the pfSense is natted. I agree it seems more like data archiving. The alternative is to just manually do it if I can get Wireshark to notify me when the drive is full ... is that possible?
It doesn't appear that Wireshark can notify when disk is full.