This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Automate / Schedule Capture WireShark sessions? (5 minutes top/bottom of each hour)

0

Hello, I've been asked to capture data for my Ceton InfiniTV PCI CableCard tuner card. The error I'm trying to capture happens at the start of TV Recordings. The problem is, the error is very intermittent. I can't leave WireShark in capture mode for more then 5 or 10 minutes, or they data captured will be WAY too big!

Is there a way to schedule WireShark to capture data for 5 minutes at the top and bottom of each other? That way I can set it and forget it until the error happens.

I'm getting frustrated trying to manually capture it. As you can imagine with Murphy's Law, the days I don't capture I get the error, and the days I spend all day trying to capture I get nothing.

So again, can I use Scheduled Tasks in Windows 7 or something? If so how? Can I have the data be captured and saved anywhere else other than C: ? My C: is s smaller SD drive. I could let the capture run longer if I have it going to D: or a network share.

asked 24 May '12, 02:34

JazJon's gravatar image

JazJon
1112
accept rate: 0%


One Answer:

1

You should look into using dumpcap. That will capture the traffic and write it directly to disk without using up a whole lot of memory trying to interpret the capture. You can then load the captures using Wireshark and examine them. Dumpcap can save the packets to any part of your filesystem and can filter out irrelevant packets and rotate the output files over time or size so that they aren't too big and painful to work with in Wireshark.

Look at the man page for dumpcap here. You should particularly investigate the filters to minimise the traffic you capture to the items of interest, the snaplen to limit the size of each packet stored on disk, and the ring buffer options to use multiple files.

answered 24 May '12, 03:27

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

I found a solution that works for now. (so I can capture 24/7) See below :)


Posted on: 24 May 2012 12:26 PM Hi Jon, One trick that might be helpful to you is to set up Wireshark to capture with a circular buffer (so it only saves, for instance, the last 500MB of data) - that way you can just stop the capture once the issue occurs.

Thank you, Ceton Support


Jon User

Posted on: 24 May 2012 01:02 PM

Thanks I found what you suggested under WireShark Capture Options.

I assigned a capture file to E:\WireShark my unused 500MB drive. I add the circular capture option going to my It's set to write up to 220MB per file and only keep a maximum of 2 files.

I have WireShark running 24/7 now and will stop/save the capture 60 seconds after I notice the error message popup live. (will need to catch one live of course)

Stand by

(24 May '12, 13:03) JazJon

You'll probably run out of memory running Wireshark 24/7. Even though Wireshark switches files, it's still accumulating state.

(24 May '12, 13:23) grahamb ♦