This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Stop sniffing after a period of network inactivity

0

I'm triggering tshark to capture packets when certain events occur. The actions I'm interested in capturing might last minutes, hours, or even days before ceasing, are on multiple interfaces, arbitrary hosts/IP addresses (public and private) and are captured in unique filenames.

Unfortunately there is no magic packet that would signal the end of the event, so I have to figure out a way to stop capturing the stuff (obviously there is not much harm done if I continue to capture traffic, but eventually I'll have to kill off the process! :)) But if tshark hasn't captured any traffic in an hour or whatever, there's no need to continue.

I could write a little monitor to watch if tshark has written to the capture file lately, but I'm hoping there's some other method that might be simpler.

I'll note tshark already keeps track of time and traffic as well as how much data is written (e.g. the -a duration:{value,filesize,files} flags), so it should be an easy thing to add on ;)

Thanks for any suggestions -

dan

asked 28 May '12, 11:02

zenfish's gravatar image

zenfish
1111
accept rate: 0%