First time here? Check out the FAQ!

Ask Your Question
0

Help with using dumpcap to monitor 24/7 but retain only 20 minutes
 
  
 
  
 
 
 
 
 
 
    
        
        asked Nov 10 '2  
 
 greavette gravatar image  
 
 
 
 
    
        
        updated Nov 10 '2  
 
 
 
 
 
Hello Forum,
 
I found this post on your archive forum - https://osqa-ask.wireshark.org/questi...
 
The following command will create a new capture file every 20 minutes (1200 Seconds). It will rotate the capture files, keeping only the latest five.
 
dumpcap -ni 1 -w c:\temp\phone_problem.pcap -b duration:1200 -b files:5
 
I'm using Wireshark version 4.0.1 on Windows and I have a similar need.  I'm filtering on my MAC address:
 
eth.addr==xx:xx:xx:xx:xx:xx 
 
I see that dumpcap is a separate executable.  Where do I add into this wireshark the dumpcap command to create a packet every 20 minutes and still filter by my MAC address?  My hardware is having an issue whereby it goes offline.  I don't want to create a massive packet capture file. I'm hoping to create a smaller log that captures when the device went offline.  
 
Thank you.
 
Preview: (hide)
 
 
 
 
          
 
add a comment
 
 
 
 
 
 1 Answer
    
 
 
                    Sort by »
                     oldest newest most voted 
 
 
 
 
 
  
 
 
 
 
0
 
 
  
 
 
 
 
 
 
 
 
    
        
        answered Nov 10 '2  
 
 SYN-bit gravatar image  
 
 
 
 
 
Dumpcap is used by wireshark to do the capturing and is installed in your Wireshark program directory. I would advise to use dumpcap directly. 
 
Preview: (hide)
 
 
 
 
         
        link
        
 
Comments
dumpcap man page
Chuckc gravatar imageChuckc (
    
        Nov 10 '2
    )
Hello and thank you for this reply.
When you say to use dumpcap directly, do you mean from the Windows Command Prompt?
Is there a way to include in the dumpcap command I provided a filter to only capture my MAC address?
Thank you.
greavette gravatar imagegreavette (
    
        Nov 11 '2
    )
I've tried using this dumpcap command from Windows Command Prompt but I'm receiving a syntax error on the filter part:
dumpcap -i 1 -w E:\wiresharkLogs\32Scapture.pcapng -b duration:1200 -b files:5 -f "eth.addr==xx:55:44:33:2C:xx"
greavette gravatar imagegreavette (
    
        Nov 11 '2
    )
You're trying to use a display filter as capture filter, that doesn't work. Use ether host xx:55:44:33:2C:xx instead.
However in this case, rather than using this filter, I would use the `-p' option, see the dumpcap man page.
Jaap gravatar imageJaap (
    
        Nov 11 '2
    )
Thanks very much..this was the filter I needed to use.
For anyone else finding this post here is the  full dumpcap I used to capture 5 pcapng files every 20 minutes:
dumpcap -i 1 -w E:\wiresharkLogs\capture.pcapng -b duration:1200 -b files:5 -f "ether host xx:55:44:33:2C:xx"
greavette gravatar imagegreavette (
    
        Nov 12 '2
    )
add a comment
 
 
 
 
  
 
 
 
 

    
        Your Answer
    

 
 Please start posting anonymously - your entry will be published after you log in or create a new account.

    

 
 
Add Answer
 
 
 
 
 
 
 
 
   
  
 
   
 
 
 
 
 
 
 
 
Question Tools
  
 

        
        
            1 follower
        
    
 
 
 subscribe to rss feed 
 
 
 
 
 
 
Stats
 

        Asked:  Nov 10 '2  
 
 
        Seen: 844 times 
 

        Last updated: Nov 10 '22 
 
 
 
Related questions
 
 
 How to kill dumpcap.exe - not able to kill it with taskkill running as admin 
 
 How can we dump pcap file data onto CAN bus 
 
 How can I use dumpcap to capture traffic only on port 53? 
 
 Dumpcap captures traffic, but Wireshark and Tshark can't see the interfaces 
 
 dumpcap using frame contains and write to file 
 
 Running Wireshark concurrent with dumpcap 
 
 dumpcap problem with multiple interfaces and filter 
 
 LoRaWan PCAP,  wireshark not able to interpret 
 
 Wireshark dumpcap with setcap set to no-root capture failes to start in Ubuntu 18.10 
 
 dumpcap -a duration:XX not working when capturing from Napatech card