Is it possible to have Tshark auto stop capturing when a certain string is captured? I've read through the documentation but I didn't see any options that would make this possible. Here's what I'm using now: tshark.exe -a duration:15 -a filesize:2400 -i 5 -w c:\dumps\dump.dat -f "tcp port 22557" The -a options tell tshark to capture for 15 seconds or until the capture file reaches 2400KB. Is there some other option that tells Tshark to stop capturing when a certain string is received? like -{?} "stopcapturingwhenyouseethis" Are there some other options I can use in conjunction with one another to achieve this sort of functionality? Thanks asked 22 Apr '16, 20:55  eltzwabo |
One Answer:
At the moment no stop condition is available directly. What you can do is to let dumpcap, rather than tshark, record the captures into ring-buffered files like you've already been doing, and use a regularly triggered or constantly running script to process each new file by tshark searching for your "stop condition" in it. The script then kills the dumpcap, and possibly sends you an e-mail or an snmp trap, when such a tshark run finds the stop condition in the file. The best scripting language for MS Windows for this purpose is your favourite one, because the task is so simple that you'll waste least time on implementing it if you use a language you already know. The reason why it makes more sense to use dumpcap than tshark to capture "until the lightning strikes" is described in this nice article by @Jasper. answered 23 Apr '16, 00:47  sindy |
This is not necessarily the case anymore. I tend to still use
dumpcapmyself for long-running captures, but at least in theorytsharkshould be as capable asdumpcapnow, at least in terms of memory usage. See: https://blog.packet-foo.com/2013/05/the-notorious-wireshark-out-of-memory-problem/.