This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi Folks

I am investigating an issue of intermittent connectivity between two applications on seperate server, and want to set up Wireshark to capture packets between the two. The period of time I am looking to capture for is about 3 days - As the problem is intermittent and seems totally random, we have to leave the capture running the whole time to ensure that we are capturing when connectivity is interrupted.

However, the capture file gets really big really fast so I need to know if you can apply filters to the file before the capture begins, resulting in only the filtered packets being saved, and the rest discarded.

Does anyone know of a way to do this?

Many Thanks

Jon

asked 26 Aug '12, 21:10

Holty's gravatar image

Holty
1112
accept rate: 0%


You can certainly apply capture filters to limit what is captured but the expressiveness of the filters is limited compared to Wireshark display filters. See Capture Filters page on the Wiki for more info.

For long-term captures you should use dumpcap rather Wireshark (or tshark) as that program doesn't do reassembly and thus maintain state and you can also use multiple capture files over the period of time so that no file is too large (-b option). If appropriate you can also limit the packet length captured (-s) if you don't require the full frame for your analysis.

permanent link

answered 27 Aug '12, 00:37

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Hi Graham, thanks for coming back to me so quickly. I think I can get what I need using Windump, I've tested a couple of time using simple HTTP traffic and the output is appearing Wireshark as expected, so we are all good to go. Really appreciate your response here!

(27 Aug '12, 14:49) Holty
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×549
×349
×184
×75
×42

question asked: 26 Aug '12, 21:10

question was seen: 9,230 times

last updated: 28 Aug '12, 01:31

p​o​w​e​r​e​d by O​S​Q​A