Ask Your Question
0

Can a capture be saved in files on multiple drives?

asked 2020-04-22 20:59:40 +0000

Nolliwira gravatar image

updated 2020-04-23 23:34:17 +0000

Guy Harris gravatar image

I am new to Wireshark and would like to set up three two terabyte drives to record network. The plan is to connect the three drives to a USB hub and record three month's work of network activity. Is it possible that when one drive is full, Wireshark starts recording on the second drive then when that's full start on the third drive? The idea is to continuously do this like a revolving door.

edit retag flag offensive close merge delete

Comments

What operating system will the capture system be running?

Chuckc gravatar imageChuckc ( 2020-04-22 21:24:05 +0000 )edit

On a Mac Mini server with Catalina and Wireshark, that is been fed from a Mikrotik RB450Gx4 and the RouterOS sniffer tool. I had tested it with for a whole week during my learning process, and it went smoothly.

It seems from the following responses that the Wireshark software is limited to capturing and recording onto the flash drive (USB3) ... I might need to use scripting/automate on the OS to switch drives when the first drive is full. Now, I am thinking how to get Wireshark to recognize when the switch occurred and to start recording again. My idea is to dissect and analyze alert issue identified by the IDS/IPS. My network consists of ISP > pfSense > Mikrotik > managed switch >clients.

Nolliwira gravatar imageNolliwira ( 2020-04-23 17:31:18 +0000 )edit

Yes, this is more of a data archiving project than a tweak the file destinations for Wireshark project.

Create a new file automatically…​
You might also look at what Security Onion does to cycle through capture files.

Chuckc gravatar imageChuckc ( 2020-04-23 17:38:06 +0000 )edit

I had thought of Security Onion but when I realize it was easy to use the Wireshark to capture and record from the Mikrotik since traffic from the Mikrotik to the pfSense is natted. I agree it seems more like data archiving. The alternative is to just manually do it if I can get Wireshark to notify me when the drive is full ... is that possible?

Nolliwira gravatar imageNolliwira ( 2020-04-23 23:53:09 +0000 )edit

It doesn't appear that Wireshark can notify when disk is full.

Nolliwira gravatar imageNolliwira ( 2020-04-24 01:28:32 +0000 )edit

3 Answers

Sort by » oldest newest most voted
0

answered 2020-04-23 17:54:59 +0000

Guy Harris gravatar image

updated 2020-04-23 20:25:07 +0000

grahamb gravatar image

As @grahamb says in his answer:

Note that there is no support currently in Wireshark or tshark that supports path switching, even when using multiple files. The "path prefix" remains the same for all files.

so the answer to "Is it possible that when one drive is full, Wireshark starts recording on the second drive then when that's full start on the third drive?" is currently "no".

edit flag offensive delete link more

Comments

Okay, Thanks.

Nolliwira gravatar imageNolliwira ( 2020-04-23 23:54:23 +0000 )edit
0

answered 2020-04-23 09:34:39 +0000

Jaap gravatar image

Your question is on network recording, not on packet dissection, the thing that Wireshark does. You should go look at what ntop.org has on offer for this.

edit flag offensive delete link more

Comments

Thank you for your response ... my question is about using Wireshark capture and records traffic as I have done in testing the software onto a flash drive ... I already know Ntoping.

Nolliwira gravatar imageNolliwira ( 2020-04-23 17:00:13 +0000 )edit

The n2disk products supports multiple destinations:

[--dump-directory|-o] <dir>          | Directory where dump files will be saved (multiple -o can be specified).
Chuckc gravatar imageChuckc ( 2020-04-23 22:14:04 +0000 )edit

This n2disk is interesting; although, I am running from the command line if I can ... GUI spoiled me! I am reading on it though.

Nolliwira gravatar imageNolliwira ( 2020-04-24 00:08:49 +0000 )edit
0

answered 2020-04-23 08:13:00 +0000

grahamb gravatar image

Depending on the rate of your traffic this may not be a viable option using USB drives.

Note that there is no support currently in Wireshark or tshark that supports path switching, even when using multiple files. The "path prefix" remains the same for all files.

edit flag offensive delete link more

Comments

It works great using a USB3 flash drive, and USB 3 ... I had already tested it for a whole week of capturing.

Nolliwira gravatar imageNolliwira ( 2020-04-23 17:03:50 +0000 )edit

As I said, depends on the rate of your traffic.

grahamb gravatar imagegrahamb ( 2020-04-23 20:25:45 +0000 )edit

It's for a home/office/lab network environment, and I am not sure how to calculate my traffic rate; however, intuitively, my traffic not that big I believe.

Nolliwira gravatar imageNolliwira ( 2020-04-24 00:01:15 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-04-22 20:59:40 +0000

Seen: 69 times

Last updated: Apr 23