This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capturing Over a Long Period of Time

0

Hi Folks

I am investigating an issue of intermittent connectivity between two applications on seperate server, and want to set up Wireshark to capture packets between the two. The period of time I am looking to capture for is about 3 days - As the problem is intermittent and seems totally random, we have to leave the capture running the whole time to ensure that we are capturing when connectivity is interrupted.

However, the capture file gets really big really fast so I need to know if you can apply filters to the file before the capture begins, resulting in only the filtered packets being saved, and the rest discarded.

Does anyone know of a way to do this?

Many Thanks

Jon

asked 26 Aug '12, 21:10

Holty's gravatar image

Holty
1112
accept rate: 0%


One Answer:

2

You can certainly apply capture filters to limit what is captured but the expressiveness of the filters is limited compared to Wireshark display filters. See Capture Filters page on the Wiki for more info.

For long-term captures you should use dumpcap rather Wireshark (or tshark) as that program doesn't do reassembly and thus maintain state and you can also use multiple capture files over the period of time so that no file is too large (-b option). If appropriate you can also limit the packet length captured (-s) if you don't require the full frame for your analysis.

answered 27 Aug '12, 00:37

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Hi Graham, thanks for coming back to me so quickly. I think I can get what I need using Windump, I've tested a couple of time using simple HTTP traffic and the output is appearing Wireshark as expected, so we are all good to go. Really appreciate your response here!

(27 Aug '12, 14:49) Holty