Ask Your Question
0

Help with using dumpcap to monitor 24/7 but retain only 20 minutes

asked 2022-11-10 18:23:06 +0000

greavette gravatar image

updated 2022-11-10 22:42:12 +0000

Hello Forum,

I found this post on your archive forum - https://osqa-ask.wireshark.org/questi...

The following command will create a new capture file every 20 minutes (1200 Seconds). It will rotate the capture files, keeping only the latest five.

dumpcap -ni 1 -w c:\temp\phone_problem.pcap -b duration:1200 -b files:5

I'm using Wireshark version 4.0.1 on Windows and I have a similar need. I'm filtering on my MAC address:

eth.addr==xx:xx:xx:xx:xx:xx

I see that dumpcap is a separate executable. Where do I add into this wireshark the dumpcap command to create a packet every 20 minutes and still filter by my MAC address? My hardware is having an issue whereby it goes offline. I don't want to create a massive packet capture file. I'm hoping to create a smaller log that captures when the device went offline.

Thank you.

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-11-10 23:38:43 +0000

SYN-bit gravatar image

Dumpcap is used by wireshark to do the capturing and is installed in your Wireshark program directory. I would advise to use dumpcap directly.

edit flag offensive delete link more

Comments

dumpcap man page

Chuckc gravatar imageChuckc ( 2022-11-10 23:49:58 +0000 )edit

Hello and thank you for this reply.

When you say to use dumpcap directly, do you mean from the Windows Command Prompt?

Is there a way to include in the dumpcap command I provided a filter to only capture my MAC address?

Thank you.

greavette gravatar imagegreavette ( 2022-11-11 05:14:49 +0000 )edit

I've tried using this dumpcap command from Windows Command Prompt but I'm receiving a syntax error on the filter part:

dumpcap -i 1 -w E:\wiresharkLogs\32Scapture.pcapng -b duration:1200 -b files:5 -f "eth.addr==xx:55:44:33:2C:xx"

greavette gravatar imagegreavette ( 2022-11-11 06:10:16 +0000 )edit

You're trying to use a display filter as capture filter, that doesn't work. Use ether host xx:55:44:33:2C:xx instead.

However in this case, rather than using this filter, I would use the `-p' option, see the dumpcap man page.

Jaap gravatar imageJaap ( 2022-11-11 08:12:15 +0000 )edit

Thanks very much..this was the filter I needed to use.

For anyone else finding this post here is the full dumpcap I used to capture 5 pcapng files every 20 minutes:

dumpcap -i 1 -w E:\wiresharkLogs\capture.pcapng -b duration:1200 -b files:5 -f "ether host xx:55:44:33:2C:xx"
greavette gravatar imagegreavette ( 2022-11-12 05:42:29 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2022-11-10 18:23:06 +0000

Seen: 768 times

Last updated: Nov 10 '22

Related questions

How to kill dumpcap.exe - not able to kill it with taskkill running as admin

How can we dump pcap file data onto CAN bus

How can I use dumpcap to capture traffic only on port 53?

Dumpcap captures traffic, but Wireshark and Tshark can't see the interfaces

dumpcap using frame contains and write to file

Running Wireshark concurrent with dumpcap

dumpcap problem with multiple interfaces and filter

LoRaWan PCAP, wireshark not able to interpret

Wireshark dumpcap with setcap set to no-root capture failes to start in Ubuntu 18.10

dumpcap -a duration:XX not working when capturing from Napatech card