This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello, I've been asked to capture data for my Ceton InfiniTV PCI CableCard tuner card. The error I'm trying to capture happens at the start of TV Recordings. The problem is, the error is very intermittent. I can't leave WireShark in capture mode for more then 5 or 10 minutes, or they data captured will be WAY too big!

Is there a way to schedule WireShark to capture data for 5 minutes at the top and bottom of each other? That way I can set it and forget it until the error happens.

I'm getting frustrated trying to manually capture it. As you can imagine with Murphy's Law, the days I don't capture I get the error, and the days I spend all day trying to capture I get nothing.

So again, can I use Scheduled Tasks in Windows 7 or something? If so how? Can I have the data be captured and saved anywhere else other than C: ? My C: is s smaller SD drive. I could let the capture run longer if I have it going to D: or a network share.

asked 24 May '12, 02:34

JazJon's gravatar image

JazJon
1112
accept rate: 0%


You should look into using dumpcap. That will capture the traffic and write it directly to disk without using up a whole lot of memory trying to interpret the capture. You can then load the captures using Wireshark and examine them. Dumpcap can save the packets to any part of your filesystem and can filter out irrelevant packets and rotate the output files over time or size so that they aren't too big and painful to work with in Wireshark.

Look at the man page for dumpcap here. You should particularly investigate the filters to minimise the traffic you capture to the items of interest, the snaplen to limit the size of each packet stored on disk, and the ring buffer options to use multiple files.

permanent link

answered 24 May '12, 03:27

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

I found a solution that works for now. (so I can capture 24/7) See below :)


Posted on: 24 May 2012 12:26 PM Hi Jon, One trick that might be helpful to you is to set up Wireshark to capture with a circular buffer (so it only saves, for instance, the last 500MB of data) - that way you can just stop the capture once the issue occurs.

Thank you, Ceton Support


Jon User

Posted on: 24 May 2012 01:02 PM

Thanks I found what you suggested under WireShark Capture Options.

I assigned a capture file to E:\WireShark my unused 500MB drive. I add the circular capture option going to my It's set to write up to 220MB per file and only keep a maximum of 2 files.

I have WireShark running 24/7 now and will stop/save the capture 60 seconds after I notice the error message popup live. (will need to catch one live of course)

Stand by

(24 May '12, 13:03) JazJon

You'll probably run out of memory running Wireshark 24/7. Even though Wireshark switches files, it's still accumulating state.

(24 May '12, 13:23) grahamb ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×9
×1

question asked: 24 May '12, 02:34

question was seen: 8,140 times

last updated: 24 May '12, 13:23

p​o​w​e​r​e​d by O​S​Q​A