I am investigating an issue of intermittent connectivity between two applications on seperate server, and want to set up Wireshark to capture packets between the two. The period of time I am looking to capture for is about 3 days - As the problem is intermittent and seems totally random, we have to leave the capture running the whole time to ensure that we are capturing when connectivity is interrupted.
However, the capture file gets really big really fast so I need to know if you can apply filters to the file before the capture begins, resulting in only the filtered packets being saved, and the rest discarded.
Does anyone know of a way to do this?
asked 26 Aug '12, 21:10
You can certainly apply capture filters to limit what is captured but the expressiveness of the filters is limited compared to Wireshark display filters. See Capture Filters page on the Wiki for more info.
For long-term captures you should use dumpcap rather Wireshark (or tshark) as that program doesn't do reassembly and thus maintain state and you can also use multiple capture files over the period of time so that no file is too large (-b option). If appropriate you can also limit the packet length captured (-s) if you don't require the full frame for your analysis.
answered 27 Aug '12, 00:37